Meta is facing a lawsuit that alleges the social media giant has been knowingly acquiring patient data from hospital sites through the Meta Pixel tracking tool, and therefore has committed the privacy violation of millions of patients.
The research discovered 7 hospital systems that had integrated Meta Pixel on their patient sites behind password protection and the tool was sending sensitive details like patient illnesses, which can be linked to the patients via their IP addresses. The study did not find any evidence that Meta had entered into a business associate agreement with the hospitals. There was also no consent to share patient information with Meta obtained from patients by the hospitals and healthcare systems that utilized Meta Pixel.
The legal action was submitted on behalf of patient John Doe, who is a user of Facebook and a Maryland-based Medstar Health System patient. The plaintiff stated he employs the patient website for scheduling appointments, communicating with providers, and reading lab exam results, and did not agree on the sharing of information with Meta/Facebook. Medstar Health mentioned all patient information is secured and it does not utilize any Facebook/Meta technologies on its site. Based on the lawsuit, a minimum of 664 healthcare systems in the U.S.A. have incorporated the Meta Pixel tool into their web pages, which shares sensitive details with Meta.
Meta says on its web page that when Meta’s signals filtering system identifies Business Tools data categorized as possibly sensitive health-related data, the filtering mechanism is created to stop that information from being used in its ads ranking and optimization programs. Nevertheless, the lawsuit states that in spite of knowingly getting health-associated details from medical companies, Facebook did not take any action to implement or confirm its requirement that healthcare providers acquire sufficient authorization from patients before sharing patient data with Facebook. The lawsuit states that using the tool on hospital sites without permission violates the Health Insurance Portability and Accountability Act (HIPAA), as the information is gathered without a business associate agreement. It must be noted that HIPAA Rules do not cover Meta/Facebook; nevertheless, the hospitals that utilize the tool can be in violation of HIPAA for disclosing the data with no authorization.
The lawsuit claims a breach of the duty of good faith and fair dealing, and not following federal and state regulations, such as the federal Electronic Communications Privacy Act, Unfair Competition Law, and California’s Invasion of Privacy Act. The lawsuit wants compensatory and punitive damages, class-action status, and attorneys’ expense.
This isn’t the first legal case to be filed against Facebook because of the collection of information from hospital web pages. In 2018, the same attorneys had the case Smith et al v. Facebook dismissed, which concerns the accumulation of browsing information from hospital sites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which made the decision that the plaintiffs couldn’t file a suit against Facebook since they had consented to Facebook’s contract terms.
Reclaim the Net got a copy of the legal case and published it here.