Vitalii Gulenok/istock via Getty
Meta Sued For Violating Patient Privacy, Scraping Health Data From Hospitals
Meta allegedly scraped health data from hundreds of hospital websites using its Meta Pixel tracker, sparking patient privacy concerns and a lawsuit.
In the wake of detailed allegations of patient privacy violations covered in a report co-published by The Markup and STAT, Meta (the parent company of Facebook) is facing a lawsuit over the use of its Meta Pixel tracker in scraping hospital websites for health data. The report found evidence that the Meta Pixel, a portion of JavaScript code that allows websites to track visitor activity, was being used on hundreds of hospital websites.
According to Meta, the Meta Pixel can collect anything present in HTTP headers, button click data, form field names, and more. The Markup tested the websites of Newsweek’s top 100 hospitals in America and found the Meta Pixel on about a third of them. In fact, the Meta Pixel is present on more than 30 percent of the most popular websites, The Markup found.
With the tracker present within password-protected patient portals, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address.
“If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems,” Meta says in a general notice about sensitive health information on its business help center website.
The Markup and STAT were unable to confirm whether the sensitive health information they found was actually removed before Meta stored the data. But this is not the first time that Facebook has been scrutinized over data use and patient privacy.
In 2019, the Federal Trade Commission (FTC) imposed a $5 billion penalty on Facebook and required it to submit to new restrictions and requirements to hold the company accountable for its data privacy decisions.
In the most recent lawsuit, filed in the U.S. Northern District of California, a plaintiff known only as John Doe alleged that he, along with millions of other patients had their rights to privacy violated by Meta. The lawsuit alleged violations of the federal Electronic Communications Privacy Act, California’s Invasion of Privacy Act and Unfair Competition Law, and a breach of Facebook's duty of good faith and fair dealing.
The suit also claimed that “neither Facebook nor any of the hospitals that deployed the Facebook Pixel on their web properties procured HIPAA authorizations for the disclosure of patient status and health information to Facebook.”
Meta is not a HIPAA-covered entity, but it would need to have a HIPAA business associate agreement (BAA) in place in order to handle PHI in compliance with HIPAA.
“Facebook’s collection of patient status and the content of patient communications with their medical providers, including when they register, log-in and logout of patient portals and to set up appointments, in the absence of a HIPAA authorization violates Facebook’s privacy promises to users,” the filing continued.
The plaintiff alleged that Facebook knowingly received patient data and failed to take action “to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.”
“Facebook is also aware of every web property where the Facebook Pixel is deployed and fully capable of conducting the same types of expert analysis that Plaintiffs conducted to identify at least 664 hospitals or medical provider properties where the Facebook Pixel is present,” the lawsuit alleged.
The lawsuit is seeking compensatory damages, attorneys’ fees, and class-action status.