HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Lawsuit Filed Against Facebook and Cancer Sites for Alleged HIPAA Violation

A lawsuit has been filed in Federal Court in San Jose, California by cancer patients who allege they have had their privacy violated after visiting the websites of cancer institutes.

The plaintiffs claim that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing purposes. After visiting the websites, the plaintiffs claim they have been served advertisements relating to very specific types of cancer. It is alleged that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific webpages that were visited.

Lead plaintiff in the case, Winston Smith, claims to have visited cancer.org, a website of the American Cancer Society. Smith conducted searches on the site for information on lung cancer and claims those searches, and information about the webpages he visited, were provided to Facebook which used the information to serve him targeted adverts. Smith claims that Facebook’s privacy policy does not specifically mention that highly sensitive medical information is obtained and used for marketing purposes.

The lawsuit alleges the practice is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as well the Federal Wiretap Act and state privacy laws.

Get The Checklist

Free and Immediate Download
of HIPAA Compliance Checklist

Delivered via email so verify your email address is correct.

Your Privacy Respected

HIPAA Journal Privacy Policy

Facebook is not a HIPAA covered entity of course, so is not bound to abide by HIPAA Rules; however, some of the websites in question are owned and maintained by healthcare organizations that are covered under HIPAA Rules. It is claimed that some HIPAA-covered entities have not explicitly stated that there is a Facebook plugin on the site and that the plugin is used to transmit medical information.

The lawsuit names Facebook, Adventists Health System, the American Cancer Society, the American Society of Oncology, BJC Healthcare, the Cleveland Clinic, the Melanoma Research Foundation, and University of Texas MD Anderson Cancer Center, according to the Courthouse News Service.

Smith says the institutes named in the suit should have disclosed their relationship with Facebook and that medical information entered on the websites would be shared. He points out that some websites that also have a relationship with Facebook, such as the Mayo Clinic and John Hopkins Medicine, do not track user activity on their sites not pass medical information to Facebook.

Smith is seeking class certification, restitution, damages and a permanent injunction to stop the defendants from collecting data, tracking site users, and from disclosing private health data to Facebook.

Some of the institutions named in the lawsuit have said the case is without merit, while others, such as University of Texas MD Anderson Cancer Center, said data were not knowingly or intentionally recorded or transmitted.

Facebook has declared that the basis of the case is not valid, and a spokesperson for the social media giant told the International Business Times “Our policies state clearly that companies’ websites are prohibited from sharing health and other sensitive information with Facebook when using our advertising services.”

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered on HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has several years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics.