Costco Pharmacy Patients Sue for Website Tracking Technology Disclosures of PHI to Third Parties
Costco is one of the latest companies to be sued over the use of website tracking technologies. Many retailers use tracking code on their websites such as Meta Pixel and Google Analytics to gain information about the interactions of website visitors. These tools provide valuable information that can be used to improve websites and increase sales. The data collected by these tools is sent to the providers of the code, and in some cases, may be used to serve targeted advertisements.
Two lawsuits have recently been filed against Costco Wholesale over the use of these trackers on the Costco Pharmacy pages of the Costco website, which has allegedly impermissibly disclosed information protected under the Health Insurance Portability and Accountability Act (HIPAA). Both lawsuits claim that Costco encourages patients and prospective patients to use its pharmacy webpages, communicate about their prescriptions, conduct research on medications, order new prescriptions, request refills for current medications, inquire about specific immunizations, search for local Medicare supplemental insurance, and sign up for its Rx mail order program.
However, unbeknown to website visitors, their activities are being tracked and their sensitive data is being transferred to third parties. The information transferred is tied to individuals by identifiers such as their IP address and Facebook ID and allows the third parties to infer that an individual is being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and they may be serviced targeted advertisements based on that information. Both lawsuits were filed in the U.S. District Court for the Western District of Washington at Seattle (R.S. v. Costco Wholesale Corporation and Castillo et al v Costco Wholesale Corporation). The lawsuits make similar claims, that the use of the tracking code without obtaining consent violates HIPAA, the Federal Trade Commission (FTC) Act, and federal and state wiretapping laws.
As a pharmacy operator, Costo is a HIPAA-covered entity and is required to comply with the HIPAA Rules. In December 2022, the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) issued guidance on HIPAA and website tracking technologies, prohibiting the use of these tools unless consent was obtained – in the form of a HIPAA-compliant authorization – or a business associate agreement was in place with the providers of these tools. Most providers of tracking technologies do not sign business associate agreements. The FTC has taken action against non-HIPAA-covered entities that have used tracking code on websites that collects and discloses health data for violations of the FTC Act. The FTC and OCR jointly sent letters to 130 entities this year warning them about the use of tracking tools on their websites and the compliance risks associated with these tools. The guidance issued by OCR makes it clear that the use of these tools violates HIPAA; however, that position is being challenged by the American Hospital Association and others who recently filed a lawsuit against the Secretary of the HHS and the Director of OCR that seek confirmation from the court that the guidance is unlawful and to prevent OCR from ever enforcing it.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The two lawsuits seek class action certification, a jury trial, financial damages for the imminent and ongoing harm caused, and injunctive relief prohibiting Costco from using these tools and engaging in further unlawful behavior. These are just two of many lawsuits that have been filed against healthcare organizations and Meta over these tracking tools, which have disclosed the data of tens of millions of individuals to third parties without consent. Recently, Advocate Aurora Health settled its Pixel-related class action lawsuit for $12.225 million.
Plaintiffs and class members in the R.S. v. Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC, and Gary M. Klinger, Alexandra M. Honeycutt & Glen L. Abramson of Milberg Coleman Bryson Phillips Grossman PLLC. Plaintiffs and class members in the Castillo et al v Costco lawsuit are represented by Kim D. Stephens & Rebecca L. Solomon of Tousley Brain Stephens PLLC and Ryan J. Ellersick and Hart L. Robinovitch of Zimmerman Reed LLP.