Dedicated to providing the latest
HIPAA compliance news

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

Share this article on:

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes.

The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited.

Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical information is obtained and used for marketing purposes.

The lawsuit alleges the practice is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as well the Federal Wiretap Act and state privacy laws.

Facebook is not a HIPAA covered entity of course, so is not bound to abide by HIPAA Rules; however, some of the websites in question are owned and maintained by healthcare organizations that are covered under HIPAA Rules. It is claimed that some HIPAA-covered entities have not explicitly stated that there is a Facebook plugin on the site and that the plugin is used to transmit medical information.

The lawsuit names Facebook, Adventists Health System, the American Cancer Society, the American Society of Oncology, BJC Healthcare, the Cleveland Clinic, the Melanoma Research Foundation, and University of Texas MD Anderson Cancer Center, according to the Courthouse News Service.

Smith says the institutes named in the suit should have disclosed their relationship with Facebook and that medical information entered on the websites would be shared. He points out that some websites that also have a relationship with Facebook, such as the Mayo Clinic and John Hopkins Medicine, do not track user activity on their sites not pass medical information to Facebook.

Smith is seeking class certification, restitution, damages and a permanent injunction to stop the defendants from collecting data, tracking site users, and from disclosing private health data to Facebook.

Some of the institutions named in the lawsuit have said the case is without merit, while others, such as University of Texas MD Anderson Cancer Center, said data were not knowingly or intentionally recorded or transmitted.

Facebook has declared that the basis of the case is not valid, and a spokesperson for the social media giant told the International Business Times “Our policies state clearly that companies’ websites are prohibited from sharing health and other sensitive information with Facebook when using our advertising services.”

Author: HIPAA Journal

HIPAA Journal provides the most comprehensive coverage of HIPAA news anywhere online, in addition to independent advice about HIPAA compliance and the best practices to adopt to avoid data breaches, HIPAA violations and regulatory fines.

Share This Post On