Federal Judge Tentatively Advances Meta Pixel Medical Privacy Class Action
A class action lawsuit against Meta over the disclosure of health data to the social media giant has been allowed to proceed by a federal judge. The judge issued a tentative order allowing the lawsuit to advance for several of the claims made by the plaintiffs; however, the number of claims has been reduced by around half.
The consolidated lawsuit, John Doe v Meta Platforms Inc., filed in the U.S. District Court for the Northern District of California, alleges the plaintiffs and class members had their medical privacy violated by Facebook’s Meta Pixel tracking tool. The lawsuit alleges that Meta knew, or should have known, that the Pixel tool was being used improperly on the websites of hospitals. The lawsuit alleges at least 664 hospital systems and medical providers were sending medical information to Facebook through the Meta Pixel tool. According to the lawsuit, the improper use of the tracking tool resulted in “the wrongful, contemporaneous, re-direction to Facebook of patient communications to register as a patient, sign-in or out of a supposedly “secure” patient portal, request or set appointments, or call their provider via their computing device.” The data was then used to create and serve individuals with personalized ads.
As the HHS’ Office for Civil Rights confirmed in 2022 guidance on HIPAA and tracking technologies, these tools can only be used if there is a HIPAA-compliant business relationship with the tracking technology vendor or if valid HIPAA authorizations have been obtained. Since Meta is not a business associate and there were no HIPAA authorizations, the disclosures were impermissible under HIPAA.
Meta states in its terms and conditions that partners are required to have a lawful right to collect and share data before providing it to Meta. Meta argued that it is the responsibility of web developers to ensure that appropriate permission is obtained before Meta Pixel is used on websites and said that it explains to web developers how they can meet their legal obligations when using the Pixel tool. “There’s no statutory or common law doctrine that would allow the plaintiffs to impose liability upon Meta for the decision of third parties to send Meta data that it doesn’t want, that it has contractually barred them from sending in,” said Meta attorney, Lauren Goldman.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
U.S. District Judge William Orrick III denied Meta’s motion to dismiss on several counts, allowing the lawsuit to proceed for the alleged violations of federal and state wiretap laws, as the plaintiffs had sufficiently argued that Meta had not done enough to prevent the transmission of sensitive health data. Orrick found the plaintiffs had plausibly argued that the data collection occurred in California and Meta had not met its burden of proof to show that healthcare providers were given sufficient consent by Meta to collect sensitive medical information.
The extraterritoriality, Wiretap Act, California Invasion of Privacy Act (CIPA), unjust enrichment, and larceny claims were advanced; however, Orrick granted the motion to dismiss the privacy, contract, California Comprehensive Computer Data Access and Fraud (CDAFA) Act, negligence per se, trespass to chattels, Unfair Competition Law (UCL), and Consumer Legal Remedies Act (CLRA) claims. The plaintiffs’ attorneys are required to refile the lawsuit as some of the privacy claims lack sufficient detail about the types of information that were allegedly transmitted to Meta. The judge stated in the hearing on Wednesday in San Francisco federal court that a final order would be issued as soon as possible.
