Getty Images

Lawsuit Accuses Iowa Health System of Sharing Data With Facebook

The plaintiff alleged that the University of Iowa Hospitals & Clinics unlawfully disclosed personal information to Facebook via its use of tracking pixels.

An Iowa woman filed a lawsuit against the University of Iowa Hospitals & Clinics (UIHC) over its use of tracking pixels. As previously reported, companies like Google and Meta, along with healthcare organizations, have been facing scrutiny over the use of tracking pixels on hospital websites that may be inadvertently transmitting sensitive data to the tech companies.

What’s more, a recent study published in Health Affairs found third-party tracking technologies on 98.6 percent of all US nonfederal acute care hospital websites.

Multiple healthcare organizations issued breach notices regarding the use of tracking pixels in recent months. The breach notices commonly state that the healthcare entity had implemented the technology to understand how visitors interact with their websites, but later discovered that the tech had been inappropriately transmitting sensitive data back to big tech companies such as Meta and Google.

However, UIHC does not appear to have issued such notice. Despite this, the plaintiff claimed that UIHC “utilized the Pixel data for marketing purposes in an effort to bolster its profits.”

“Facebook also uses Plaintiff’s and Class Members’ Private Information to create targeted advertisements based on the medical conditions and other information which is then surreptitiously disclosed to Defendant,” the filing stated.

The filing contains screenshots of source code found on UIHC’s website, which highlight the defendant’s Pixel ID, showing the presence of the tool.

The plaintiff alleged that she suffered an invasion of privacy, diminution of the value of her private information, and an ongoing risk of targeted advertisements and spam.

“Defendant violated its own Privacy Policy by unlawfully intercepting and disclosing Plaintiff’s and Class Members’ Private Information to Facebook and third parties for marketing purposes without adequately disclosing that it shares Private Information with third parties for those purposes and without acquiring the specific patients’ consent or authorization,” the filing alleged.

As previously reported, law firm BakerHostetler’s recently released 2023 Data Security Incident Response Report (DSIR) observed a significant uptick in pixel-related data breach lawsuits in 2022. BakerHostetler observed more than 50 lawsuits being filed against hospital systems related to third-party tracking tech since August 2022.

“The Dobbs decision coincided with the publication of an investigative report about the use of advertising technology on hospital websites. Several regulators scrambled to give consumers, health apps, and HIPAA-covered entities admonishments and guidance on the risks and limitations surrounding the use of this type of technology,” the report stated.

“Simultaneously, a deluge of class actions was filed, alleging various causes of action stemming from the use of this technology. For many healthcare entities, 2022 will be remembered as ‘The Year of the Pixel.’”

The firm predicted that these lawsuits would continue to pop up in coming months as consumers and regulators take action against improper pixel use.

Next Steps

Dig Deeper on Cybersecurity strategies