Meta Facing Further Class Action Lawsuit Over Use of Meta Pixel Code on Hospital Websites

Meta is facing another class action lawsuit over the unlawful collection and sharing of health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges Meta and its companies, including Facebook, have been collecting the sensitive health data of millions of patients without obtaining express consent and have used the information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and Dignity Health Medical Foundation and claims her sensitive health was unlawfully obtained by Meta when she entered the information into the UCSF Medical Center online patient portal. UCSF Medical Center had added Meta Pixel code to the web pages of the patient portal. Meta Pixel is a snippet of JavaScript code that is used to track website visitors. The code records and transmits to Meta the web pages that a user visits. If the code is present on a web page with a form, such as those used to book appointments, the selections from drop-down boxes are recorded and transmitted. Those selections could indicate a patient’s medical condition or why an appointment has been booked.

One of the targeted Facebook adverts served to Jane Doe. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.

Jane Doe said she has been a user of Facebook since 2012 and alleges her privacy has been violated, as her information was collected and used without her consent. The information entered on the form was used by Meta to serve her with targeted advertisements related to her medical condition. The lawsuit alleges a violation of HIPAA, as neither UCSF Medical Center nor Dignity Health Medical Foundation had entered into a business associate agreement with Meta or Facebook, and at no point did Meta, Facebook, or the hospitals obtain content or inform patients that their information was being provided to Meta to deliver targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or a third-party vendor for reasons related to treatment, payment, or healthcare operations, and in such cases, consent is not required from the patient. Most other disclosures require a HIPAA-covered entity to enter into a business associate agreement with the third party prior to any disclosure of PHI, and content is required from the individuals whose PHI is disclosed.

Please see the HIPAA Journal Privacy Policy

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that do have a private right of action. In this case, the lawsuit makes sixteen claims including common law invasion of privacy – intrusion upon seclusion, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of the California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.

The lawsuit alleges the plaintiff and class members have suffered damage and loss as a result of the conduct of the defendants, which has deprived the plaintiff and class members of control of their valuable property, the ability to obtain compensation for their data, the ability to withhold their data from sale, and that the violations have resulted in irreparable and incalculable harm and injuries. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit filed against Meta, in that case by plaintiff John Doe, who was a patient of MedStar Health in Maryland. The Markup recently conducted an investigation into the sharing of healthcare data with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind logins, yet consent to share data was not obtained.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.