Meta hit with class action suit alleging it mined providers’ patient data

Dive Brief:

• Tech giant Meta, the parent company of Facebook, was slammed with a class action lawsuit alleging that the social media company has been scouring sensitive patient data from hospital websites in violation of HIPAA and numerous state and federal laws.
• The lawsuit, filed last week in Northern California, charges that Meta’s Pixel tracking tool sent patient data like IP addresses, online portal login information and health conditions directly back to the company.
• Filed by a John Doe on behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel,” the suit follows an investigative report published last week by The Markup and Stat News that found the top 33 hospitals in the U.S. were sending sensitive patient data to Meta via the Pixel tracking tool.

Dive Insight:

In one example, The Markup found that by clicking the “schedule online” button on the University Hospitals Cleveland Medical Center’s website, the Pixel tracking tool collected the physician’s name, the text displayed on the online button and the search term “pregnancy termination,” and sent that information back to Facebook. The report also found that seven hospital systems had Facebook Pixel installed directly inside supposedly password-protected patient portals.

The lawsuit identified at least 644 hospital systems or “medical provider web properties” from which Facebook allegedly “knowingly receives patient data” to create targeted advertising both on and off of Facebook’s website. It further alleges that the company did not attempt to gain “patient knowledge, consent, or valid HIPAA authorizations.”

Facebook’s Pixel is a piece of code that allows websites to target and optimize advertisements for users. That data is often tied back to specific users.

The data and identifying information scoured by Pixel has run into several privacy-related roadblocks. In February, a class action lawsuit was filed against the parent company of medical diagnostic tool WebMD alleging that Facebook’s Pixel tracking tool disclosed identifying information from WebMD users by tracking targeted video advertisements and had violated the Video Privacy Protection Act. Another class action suit, filed in March against streaming service HBO, also alleges that Facebook’s Pixel violates the VPPA.

While the Pixel has recently come under fire, it’s also not the first time that the tech giant has been accused of mining patient healthcare data. In 2016, three Facebook users filed a class action lawsuit against the company and several medical organizations alleging that Facebook had collected health data and used it without consent for marketing profiles to target advertisements. A judge ruled in Facebook’s favor in May 2017 and the plaintiffs subsequently filed an appeal. 

“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” Nicholson Price, a University of Michigan law professor told The Markup. “I think this is creepy, problematic, and potentially illegal” from the hospitals’ point of view.