Fraud Management & Cybercrime , Governance & Risk Management , HIPAA/HITECH

Lawsuit: Facebook Is Collecting Patient Data of 'Millions'

Class Action Alleges Meta Pixel Code Tracks Websites, Patient Portal Interactions
Lawsuit: Facebook Is Collecting Patient Data of 'Millions'

Facebook is facing a putative class action alleging it unlawfully collects patient data from the online portals of hundreds of medical providers without knowledge or consent.

See Also: OnDemand Crowdsourced Security and DevOps: A Few Things You Probably Didn't Know

The lawsuit, filed Friday by an anonymous "John Doe" plaintiff in the Northern District of California, alleges Facebook knowingly receives patient data when medical centers deploy a tracking tool called Meta Pixel that's designed to improve marketing campaigns.

The plaintiff is a Facebook user and patient of MedStar Health System in Maryland and seeks class action status on behalf of "millions of other patients around the country."

The complaint alleges at least 664 hospitals or medical providers deploy the tracking technology.

The plaintiff's attorneys allege breach of the duty of good faith and fair dealing and violations of several federal and state laws, including electronic communications privacy and wiretap claims, California's Invasion of Privacy Act and the state's Unfair Competition Law. They seek both compensatory and punitive damages.

Facebook parent company, Meta, did not immediately respond to Information Security Media Group's request for comment on the lawsuit. Neither did plaintiff attorneys.

MedStar in a statement provided to ISMG says it complies with all applicable federal and state privacy laws and regulations. "MedStar Health maintains patient information on a secure platform, accessible only through a secure patient portal. We do not use any Facebook/Meta technologies on this platform."

MedStar did not immediately respond to ISMG' inquiry about whether Pixel was ever previously used in the healthcare system's patient portal or with its other website properties.

Lawsuit Allegations

The Meta Pixel is a snippet of JavaScript code embedded by developers into webpages. The complaint alleges that anytime a patient undertakes an online action, such as scheduling an appointment, Pixel transmits patient data - including health condition information - to Facebook.

Pixel gathers data whether or not a person is logged in to their Facebook account.

"As soon as a patient takes any action on a webpage which includes the Facebook Pixel - such as clicking a button to register, login, or logout of a patient portal or to create an appointment - Facebook's source code commands the patient's computing device to re-direct the content of the patient's communication to Facebook," the complaint alleges.

The data collection is done without first obtaining patient authorization, as required by federal health privacy law, the lawsuit alleges.

Under HIPAA, a covered entity must have an individual's prior written authorization before a use or disclosure of his or her protected health information can be made for marketing communications.

"Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook," the lawsuit alleges.

Facebook's targeted advertising operation includes the ability to place ads based on specific actions that a patient has taken on the medical providers' websites, it further alleges. "For example, Facebook could target ads to a patient who had used the patient portal and viewed a page about a specific condition, such as cancer."

Meta says it has technology that filters out sensitive health data from it ad-targeting operation.

Risks to Data Posed by Healthcare Marketing

Regulatory attorney Rachel Rose - who is not involved in the lawsuit - says Meta Pixel creates risk for patients, medical centers and Facebook itself.

By holding on to sensitive health data, Facebook could put that information at risk for compromise. For patients, having sensitive data transmitted to third parties increases the risk of identity fraud, while medical centers could see the data "repackaged" for healthcare criminal purposes.

Rose says there should be a prominent disclosure about patients' information being shared.

"Additionally, clients and providers should have to consent. If the provider is using Facebook and there is a contractual relationship involving the creation, receipt, maintenance, and/or transmission of PHI, then a business associate agreement is needed," she says.

The lawsuit points to an endemic problem in the healthcare industry, says regulatory attorney Paul Hales. Namely, healthcare marketing and patient engagement strategies are fashioned by advertising and marketing consultants without oversight from HIPAA compliance professionals.

Someone familiar with patient consent requirements would not have set up a system transmitting data to a social media company without carefully assessing it first, he says.

If You Fail to Sue Facebook, Try, Try Again

Hales also notes the plaintiff attorneys in this proposed class action are the same lawyers whose 2016 lawsuit against Facebook in a similar case, Smith et al. v. Facebook, et al., was dismissed in 2018.

That earlier privacy case alleged that Facebook violated federal and state laws by collecting and using individuals' browsing data from various healthcare-related websites.

In that case, the U.S. Court of Appeals for the 9th Circuit upheld a lower court's decision to dismiss the case. "Plaintiffs were barred from suing Facebook because they agreed to be bound by Facebook contract terms that prevented the suit," says Hales, who is not involved in either of those lawsuits against Facebook.

This new lawsuit appears to reflect some lessons learned from the 2016 attempt, Hale says, since the new case challenges the contract terms itself.

If the lawsuit survives motions to dismiss, "discovery in this case could be eye-opening and also embarrassing for Meta's medical provider partners," he says.

The Doe vs. Meta lawsuit comes as other privacy-related allegations against Facebook involving its use of Pixel in the collection of other sensitive health data emerge (see: Bill Would Ban Brokers From Selling Health, Location Data).

Nonprofit investigative reporting organizations The Markup and Reveal last week reported findings that the social media giant is collecting abortion-related information about users.

The investigation alleges that Facebook collects "ultrasensitive personal data about abortion seekers" and enables "anti-abortion organizations to use that data as a tool to target and influence people online, in violation of its own policies and promises."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.eu, you agree to our use of cookies.