LinkedIn, Meta, and Healthcare Companies Sued for Using Tracking Tools
Lawsuits have recently been filed against the professional networking platform LinkedIn, Meta (Facebook), and three healthcare companies over the use of website tracking tools on websites that collect sensitive health information and use that information for marketing and advertising purposes.
Social media companies provide website tracking tools that collect visitor data from web pages for advertising and marketing purposes. LinkedIn’s tool, LinkedIn Insight Tag, is a code snippet (pixel) that can be added to a website to help the website owner optimize their marketing campaigns, retarget website visitors with advertisements as they browse the Internet, and collect information about their audiences. Similar tracking code is provided by Meta – the Meta Pixel code snippet. Both social media companies have been named as co-defendants in the lawsuits along with the healthcare companies that use the code.
When these code snippets are added to a healthcare web page, there is a risk that they will collect sensitive PHI. The lawsuits allege that the healthcare companies, LinkedIn, and Meta knew that the code was intercepting users’ interactions and transmitting that information to be used to deliver targeted advertisements on LinkedIn and Facebook. One of the lawsuits, J.S. v. Spring Fertility Holdings, LLC, Meta Platforms, Inc., and LinkedIn Corporation, was recently filed in the U.S. District Court for the Northern District of California by the law firm Bursor & Fisher, P.A. regarding the use of the tracking tools on the website of Spring Fertility, a provider of fertility treatments.
The lawsuit alleges that Spring Fertility knew that patients expected it to maintain strict confidentiality of any information collected through its website, but “aided, employed, agreed, and conspired with social media websites Facebook and LinkedIn to intercept sensitive and confidential personal and medical communications sent by patients seeking to book services with Spring Fertility through its website.”
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The lawsuit alleges the code snippets were added to webpages that had web forms that collected highly sensitive information including the type of fertility treatment sought and the patient’s sexual orientation, and collected and transmitted that information without patients’ knowledge or consent. The plaintiff used the Spring Fertility website to book a consultation while maintaining accounts on Facebook and LinkedIn. She then started receiving targeted adverts on those social media networks related to fertility services.
The lawsuit alleges that information was collected by Spring Fertility and was passed to LinkedIn and Facebook without the plaintiff’s knowledge, consent, or express written authorization. LinkedIn and Meta were named co-defendants because both companies were aware of the risks of using these pixels on healthcare websites and continued to allow healthcare organizations to use the code to intercept sensitive health information because of its value for targeted advertising.
Spring Fertility is alleged to have breached its duty of confidentiality to the plaintiff, violated the Electronic Communications Privacy Act, California’s Confidentiality of Medical Information Act (CMIA), the California Invasion of Privacy Act (CIPA), and the behavior was an invasion of privacy under the California constitution. The lawsuit seeks class action status, a jury trial, compensatory, statutory, and punitive damages, legal fees and costs, and injunctive relief. Similar lawsuits have been filed by the same law firm against the mental health therapy website Therapymatch (Headway) and Village Practice Management (CityMD).
Healthcare organizations have been warned by both the HHS’ Office for Civil Rights (OCR) and the Federal Trade Commission (FTC) over the use of these tracking tools. OCR’s guidance, which prohibits the use of these tools on healthcare websites unless certain conditions are met, was partially overturned after a legal challenge. The legal challenge related to matching IP addresses with information collected from unauthenticated healthcare web pages. The challenge was successful and vacated that part of the guidance but did not render the guidance document invalid. If code snippets are used on authenticated web pages or web pages with forms that collect sensitive information then OCR’s guidance applies and healthcare providers risk regulatory penalties and class action lawsuits over privacy violations. The code snippets should only be used on unauthenticated web pages that do not collect health information if they are to be used at all.
