Getty Images/iStockphoto

WakeMed Faces Data Breach Lawsuit Over Meta Pixel Use

A proposed class action lawsuit alleged that WakeMed knowingly implemented tracking software on its website without patient consent.

WakeMed Health and Hospitals is the subject of a proposed class action lawsuit stemming from a data breach that allegedly led to patient data being transmitted to Facebook (Meta) through the use of tracking pixels.

In October, WakeMed notified more than 495,000 individuals that their information was involved in the breach.

As previously reported, Meta and a variety of health systems are facing scrutiny over the use of tracking pixels on hospital websites. Tracking pixels are typically used for targeted marketing and tracking user activity, but in the case of numerous hospitals, the pixel was found on password-protected patient portals.

WakeMed’s notice to patients noted that “the pixel’s software code may have also transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to Facebook.”

WakeMed has since disabled the pixel and launched a review of its policies and procedures relating to gathering website user data.

Similarly, Advocate Aurora Health notified 3 million individuals of a breach stemming from the use of tracking pixels, and Novant Health notified 1.3 million individuals of potential unauthorized data disclosures resulting from its use of pixels.

“Despite WakeMed’s status as one of the largest healthcare providers in the country, WakeMed knowingly incorporated tracking software on its website that disclosed the Private Information of Plaintiff’s and Class Members to an unauthorized third party without the knowledge or consent of Plaintiff and Class Members,” the lawsuit alleged.

The plaintiff, a WakeMed patient, “reasonably expected that her online communications with WakeMed were confidential, solely between herself and WakeMed, and that such communications would not be transmitted to or intercepted by a third party,” the filing stated.

WakeMed’s notice did not specify when it first discovered that the pixel was potentially sending data back to Facebook. However, WakeMed did note that the pixel was in use on its website from March 2018 to May 2022.

“Healthcare providers like Defendant that collect and store Private Information have statutory, regulatory, contractual, and common law duties to safeguard that information and ensure it remains private and safe from disclosure to unauthorized parties,” the lawsuit continued.

The plaintiff alleged that WakeMed failed to implement reasonable safeguards to prevent improper disclosures, failed to adequately train employees, and failed to comply with industry-standard data security practices.  

Next Steps

Dig Deeper on Health data access & privacy