Meta Sued about the Scraping of Patient Information from Hospital Sites

Meta is facing a lawsuit that alleges the social media giant has been knowingly acquiring patient data from hospital sites through the Meta Pixel tracking tool, and therefore has committed the privacy violation of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and claims violations of state and federal legislation connected to the getting of patient information without permission. Last week, The Markup/STAT’s report on a study about the 100 top hospitals in the United States revealed that 33 percent utilized the Meta Pixel tool on their web pages. The Meta Pixel tool is a little JavaScript code that is employed to monitor visitor activities on websites, like the forms they click and the options they choose from dropdown menus. When the tool is incorporated on healthcare companies’ websites, it’s possible for the tool to share protected health information (PHI) to Meta/Facebook, like IP address if a patient has booked an appointment, and any data chosen from the menus, for example, the medical condition that the visit is about.

The research discovered 7 hospital systems that had integrated Meta Pixel on their patient sites behind password protection and the tool was sending sensitive details like patient illnesses, which can be linked to the patients via their IP addresses. The study did not find any evidence that Meta had entered into a business associate agreement with the hospitals. There was also no consent to share patient information with Meta obtained from patients by the hospitals and healthcare systems that utilized Meta Pixel.

The legal action was submitted on behalf of patient John Doe, who is a user of Facebook and a Maryland-based Medstar Health System patient. The plaintiff stated he employs the patient website for scheduling appointments, communicating with providers, and reading lab exam results, and did not agree on the sharing of information with Meta/Facebook. Medstar Health mentioned all patient information is secured and it does not utilize any Facebook/Meta technologies on its site. Based on the lawsuit, a minimum of 664 healthcare systems in the U.S.A. have incorporated the Meta Pixel tool into their web pages, which shares sensitive details with Meta.

Meta says on its web page that when Meta’s signals filtering system identifies Business Tools data categorized as possibly sensitive health-related data, the filtering mechanism is created to stop that information from being used in its ads ranking and optimization programs. Nevertheless, the lawsuit states that in spite of knowingly getting health-associated details from medical companies, Facebook did not take any action to implement or confirm its requirement that healthcare providers acquire sufficient authorization from patients before sharing patient data with Facebook. The lawsuit states that using the tool on hospital sites without permission violates the Health Insurance Portability and Accountability Act (HIPAA), as the information is gathered without a business associate agreement. It must be noted that HIPAA Rules do not cover Meta/Facebook; nevertheless, the hospitals that utilize the tool can be in violation of HIPAA for disclosing the data with no authorization.

The lawsuit claims a breach of the duty of good faith and fair dealing, and not following federal and state regulations, such as the federal Electronic Communications Privacy Act, Unfair Competition Law, and California’s Invasion of Privacy Act. The lawsuit wants compensatory and punitive damages, class-action status, and attorneys’ expense.

This isn’t the first legal case to be filed against Facebook because of the collection of information from hospital web pages. In 2018, the same attorneys had the case Smith et al v. Facebook dismissed, which concerns the accumulation of browsing information from hospital sites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which made the decision that the plaintiffs couldn’t file a suit against Facebook since they had consented to Facebook’s contract terms.

Reclaim the Net got a copy of the legal case and published it here.

About the Author

Elizabeth Hernandez
Elizabeth Hernandez is the editor of HIPAA News. Elizabeth is an experienced journalist who has worked in the healthcare sector for several years. Her expertise is not limited to general healthcare reporting but extends to specialized areas of healthcare compliance and HIPAA compliance. Elizabeth's knowledge in these areas has made her a reliable source for information on the complexities of healthcare regulations. Elizabeth's contribution to the field extends to helping readers understand the importance of patient privacy and secure handling of health information. Elizabeth holds a postgraduate degree in journalism. You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone