Lloyds Bank this weekend fired a salvo at Facebook-owner Meta, slamming it for failing to stop a ‘Wild West’ surge in online shopping scams. Britain’s biggest retail bank – which has 26 million customers – blasted the social media giant for enabling so-called ‘purchase’ frauds.

The banking group claimed two-thirds of the scams start on Meta-owned platforms, which also includes Instagram.

Banks and insurance groups have been frustrated for years that social media companies are not made to pay their fair share of compensation to victims for frauds hosted on their platforms.

But it is highly unusual for a lender like Lloyds to take aim at an individual tech firm like Meta.

The intervention puts Lloyds Banking Group boss Charlie Nunn at loggerheads with Facebook tycoon Mark Zuckerberg.

British banks have previously urged ministers to tackle online financial scams amid concerns that criminals are using Facebook and Google to place fraudulent advertisements with impunity.

The failure of internet giants to check the authenticity of digital ads has led to a surge of scams, they claim. These include ‘brand cloning’, where criminals impersonate legitimate businesses to dupe victims into handing over their savings. Purchase fraud tends to target younger consumers who are tricked into paying for sought-after items that don’t actually exist.

Victims are lured by the offer of a cheap deal – often advertised on social media – and then asked to send money from their own secure online bank account direct to the seller via a transfer system known as faster payments.

However, this provides very little protection when things go wrong.

The scam is a small but growing part of online fraud, which now accounts for 40 per cent of all crime and costs £7 billion a year, according to latest government figures.

The number of purchase frauds has soared by 40 per cent since the start of the pandemic to over 117,000 cases in 2022, according to the UK Finance trade body. It coincided with a boom in online shopping, more time spent on social media and shortages of certain goods caused by supply chain issues.

Lloyds, whose brands include Hailfax and Bank of Scotland, estimates that someone falls victim to the scam on a Meta-owned platform every seven minutes, costing consumers £27 million this year alone.

The average amount lost by the victims of purchase scams is around £570. Clothes, trainers, gaming consoles and mobile phones are among the most common goods being falsely advertised for sale.

Lloyds said it reimburses ‘the majority’ of victims and has invested ‘hundreds of millions of pounds’ in security systems to beat the scammers.

But refunds don’t address the emotional trauma of being a victim of fraud or stop the flow of money to organised crime, it added.

‘Social media has become the Wild West of online shopping in recent years, with very few checks in place to verify who is selling what,’ said Liz Ziegler, fraud prevention director at Lloyds Banking Group.

The Government’s new national fraud strategy allows banks more time to slow down suspicious payments. But Ziegler said banks couldn’t fight the ‘epidemic of scams’ alone.

‘It’s high time tech companies stepped up to share responsibility for protecting their own customers,’ she said.

‘This means stopping scams at source and contributing to refunds when their platforms are used to defraud innocent victims.’

An amendment to the long-delayed Online Safety Bill requires social media firms to prevent paid-for fraudulent adverts, regardless of whether the ads are controlled by the platforms or an intermediary. It followed pressure from consumer groups, charities and the banking industry who claimed the Government’s approach to tackling online fraud was ‘flawed’.

But critics say the proposals still don’t go far enough. ‘Fraudsters don’t just pay for adverts or create fraudulent content that fits within the scope of the Bill,’ said a banking industry source. ‘The exclusion of online marketplaces like Facebook’s is therefore a significant loophole.’

Campaigners say only the threat of fines will force the social media companies to act.

‘Without penalties there’s nothing in it for them to stop the scams from happening,’ said consumer champion Baroness Altmann. She fears the Government is ‘absolutely terrified of upsetting the tech companies’ and of being seen to clamp down on the free market.

James Daley, founder of consumer campaign group Fairer Finance, said social media sites had become ‘a gateway for fraudsters’.

‘Firms like Meta have a clear responsibility to step up and protect their users,’ he said. ‘But if past experience is anything to go by, it’s unlikely these firms will do much if they don’t have to.

‘The Government announced plans to introduce new protections last year, but these have now been kicked into the long grass again.’

Meta said purchase fraud was ‘an industry-wide issue’ with scammers using ‘increasingly sophisticated methods’ to defraud people ‘in a range of ways, including email, text and offline’.

A spokesman said: ‘We don’t want anyone to fall victim to these criminals which is why our platforms have systems to block scams. Financial services advertisers now have to be authorised by the Financial Conduct Authority.’

The Department for Science, Innovation and Technology was approached for comment.

NHS trusts are sharing intimate details about patients’ medical conditions, appointments and treatments with Facebook without consent and despite promising never to do so.

En Observer investigation has uncovered a covert tracking tool in the websites of 20 NHS trusts which has for years collected browsing information and shared it with the tech giant in a major breach of privacy.

The data includes granular details of pages viewed, buttons clicked and keywords searched. It is matched to the user’s IP address – an identifier linked to an individual or household – and in many cases details of their Facebook account.

Information extracted by Meta Pixel can be used by Facebook’s parent company, Meta, for its own business purposes – including improving its targeted advertising services.

Records of information sent to the firm by NHS websites reveal it includes data which – when linked to an individual – could reveal personal medical details.

It was collected from patients who visited hundreds of NHS webpages about HIV, self-harm, gender identity services, sexual health, cancer, children’s treatment and more.

It also includes details of when web users clicked buttons to book an appointment, order a repeat prescription, request a referral or to complete an online counselling course. Millions of patients are potentially affected.

This weekend, 17 of the 20 NHS trusts that were using Meta Pixel confirmed they had pulled the tracking tool from their websites.

Eight issued apologies to patients. Multiple trusts said they had originally installed the tracking pixels to monitor recruitment or charity campaigns and were not aware that they were sending patient data to Facebook. The Information Commissioner’s Office (ICO) is investigating.

De Observer can reveal:

In one case, Buckinghamshire Healthcare NHS trust shared when a user viewed a patient handbook for HIV medication. The name of the drug and the NHS trust were sent to the company along with the user’s IP address and details of their Facebook user ID.

Alder Hey Children’s trust in Liverpool, sent Facebook details when users visited webpages for sexual development problems, crisis mental health services and eating disorders. It also shared data when users clicked to order repeat prescriptions.

The Tavistock and Portman NHS foundation trust in London shared data with Facebook when users clicked the information page for its gender identity service, which specialises in working with children who have gender dysphoria. Data was also shared when users viewed the webpage for the Portman Clinic, which “offers specialist help with disturbing sexual behaviours”, and clicked for details on how to be referred to the service.

Surrey and Borders Partnership NHS trust shared data with Facebook when a patient clicked buttons indicating they were under 18, lived in Brighton and wanted to access mental health services.

Other NHS trusts sent detailed receipts to Facebook when users accessed pages for appointment bookings or completed online self-help courses. Barts Health NHS trust, which serves a population of 2.5 million in London, shared data with Facebook when a user clicked to “cancel or change an appointment” or added a visit to a particular hospital to their itinerary.

The Royal Marsden, a specialist cancer centre, sent data on patients requesting referrals, viewing information about private care and browsing pages for particular cancer types.

The findings have caused alarm among privacy experts who said they indicated widespread potential breaches of data protection and patient confidentiality that were “completely unacceptable”.

Information sent to the company is likely to include special category health data, which has extra protection in law and is defined as information “about an individual’s past, current or future health status”, including medical conditions, tests and treatment and “any related data which reveals anything about the state of someone’s health”. Using or sharing it without explicit consent or another lawful basis is illegal.

Once the data reaches Facebook’s servers, it is not possible to track exactly how it is used. The company says it prohibits organisations from sending it sensitive health information and has filters to weed such data out when it is received by mistake.

Professor David Leslie, director of ethics at the Alan Turing Institute, said the transfer of data to third parties by the NHS risked damaging the “delicate relationship of trust” with patients. “Our reasonable expectation when we’re accessing an NHS website is that our data won’t be extracted and shared with third-party commercial entities that could [use it] for targeting ads or linking our personal identities to health conditions,” he said.

Wolfie Christl, a data privacy expert who has investigated the ad tech industry, said: “This should have been stopped by regulators a long time ago. It is irresponsible, even negligent, and it must stop.”

He accused Meta of doing too little to monitor what information it was being sent. “Meta says we don’t permit certain types of data being sent to us but they haven’t spent enough on resources to audit this,” Christl said.

In most cases, the information sent to Facebook during a test by the Observer was transferred automatically upon loading a website – before the user had selected to “accept” or “decline” cookies – and without explicit consent. Only three of the 20 trusts mentioned Facebook or Meta in their privacy policies at all. Several of the trusts had previously promised patients that their information would not be shared or used for marketing.

Collectively, the 20 NHS trusts found using the tracking tool serve a population of more than 22 million people in England, stretching from Devon to the Pennines. Some had been using it for several years.

One of the trusts that pulled the tracking tool this weekend, Buckinghamshire Healthcare NHS trust, had previously said in its privacy policy that “confidential personal information about your health and care … would never be used for marketing purposes without your explicit consent”.

In a statement, the trust apologised to patients and said the Meta Pixel had been active on its website in error. “It was installed in relation to a recruitment campaign, and we were not aware that Meta was using this information for marketing purposes,” a spokesperson said. “Immediate action has been taken to remove it.”

Alder Hey said it asked visitors to its website for permission to use cookies and said patients’ names and addresses had not been shared. It has removed the tracking tool.

The Royal Marsden said it regularly reviewed its privacy policies but did not say whether it planned to remove the pixel. Barts said it was removing trackers from its website “following the disclosure that they were being used to extract personal information beyond the purpose for which they were originally installed, which was to measure responses to recruitment advertising campaigns.”

Several said they were unaware of how data would be used and apologised to patients for failing to get consent. Aside from the 17 who pulled or are pulling the tool, Hertfordshire Partnership trust and Royal Marsden said they were investigating the issues internally and only the Tavistock and Portman did not respond to requests for comment.

The ICO said it had “noted the findings” and was considering the matter. “People have the right to expect that organisations will handle their information securely and that it will only be used for the purpose they are told,” a spokesperson said.

Avslöjanden om NHS-användningen av Meta Pixel kommer efter att tillsynsmyndigheter i USA utfärdat varningar för användningen av spårningsverktyg där. Förra sommaren, teknisk webbplats The Markup avslöjade deras användning på vårdgivares webbplatser. I december varnade Biden-administrationen för att användning av spårningspixlar för att samla in patientdata utan samtycke var ett potentiellt brott mot federal lag.

Flera ledande amerikanska sjukhus stäms för närvarande av sina patienter för deras användning av pixlarna, som är små kodbitar som är osynliga under normal surfning.

Meta står också inför rättsliga åtgärder på grund av anklagelser om att ha tagit emot medvetet känslig hälsoinformation – inklusive från sidor inom patientportaler – och inte vidta åtgärder för att stoppa det. Klagandena hävdar att Meta kränkte deras medicinska integritet genom att fånga upp "individuellt identifierbar hälsoinformation" från sina partners webbplatser och "generera pengar" på den.

Jeffrey Koncius, en partner vid Kiesel Law i Kalifornien och en av advokaterna som leder åtgärden, sa att dataöverföringen från NHS-webbplatserna verkade likna vad som hände i USA. "Tänk om ett sjukhus skickade ett brev till Mark Zuckerberg och sa: 'Vi vill att du ska veta att Jeff Koncius är vår patient'", sa han. "Det är precis vad som händer här. Det sker bara elektroniskt.”

Liberaldemokraternas hälsotalesman Daisy Cooper beskrev fynden som en "chockerande upptäckt" som väckte allvarliga frågor om skyddet av patientinformation. "NHS måste undersöka hur detta hände och hur utbrett detta påstådda dataintrång är", sa hon.

NHS England sa att enskilda truster var ansvariga för att se till att de följde dataskyddslagarna. "NHS undersöker denna fråga och kommer att vidta ytterligare åtgärder om det behövs", sa en talesperson.

Meta sa att de hade kontaktat trusterna för att påminna dem om dess policy, som förbjöd organisationer att skicka hälsodata. "Vi utbildar annonsörer om att korrekt ställa in affärsverktyg för att förhindra att detta inträffar", sa talespersonen. De tillade att det var webbplatsägarens ansvar att se till att den överensstämde med dataskyddslagarna och hade fått samtycke innan data skickades.

Företaget svarade inte på frågor om effektiviteten av dess filter utformade för att sålla bort "potentiellt känslig data", eller vilka typer av information de skulle blockera från sjukhuswebbplatser - eller säga varför det tillät NHS-truster att skicka data överhuvudtaget, med tanke på hög risk kan det avslöja detaljer om webbanvändarens hälsa.

"Som all teknik kommer inte våra filter att kunna fånga upp allt hela tiden. Men vi förbättrar ständigt våra mekanismer för att se till att vi fångar så mycket vi kan”, sa en talesperson.

Företaget erbjuder sina affärsverktyg till annonsörer och säger att de kan hjälpa dem att använda hälsobaserad reklam för att "växa ditt företag". I en guide säger det att data som samlats in genom dess affärsverktyg kan förbättra användarnas Facebook-upplevelse genom att visa dem annonser som de "kan vara intresserade av". "Du kan se annonser för hotellerbjudanden om du besöker resewebbplatser", förklaras det.

Sam Smith, på medConfidential, en datasekretesskampanjgrupp, sa att det aldrig var lämpligt att verktygen skulle användas för att samla in hälsoinformation. "Det finns ingen fördel för NHS-förtroende att ge bort denna information. Det är som att be ett tobaksföretag att sponsra en canceravdelning”, sa han. "NHS England godkänner tyst detta genom att inte genomdriva något bättre."