Meta Sued over the Scraping of Patient Data from Hospital Websites

A lawsuit has been filed against Meta that alleges the social media giant has been knowingly collecting patient data from hospital websites via the Meta Pixel tracking tool, and in doing so has violated the privacy of millions of patients.

The lawsuit was filed in the U.S. Northern District of California and alleges violations of state and federal laws related to the collection of patient data without consent. Last week, a report was released by The Markup/STAT on a study on the 100 top hospitals in the United States which found that one-third used the Meta Pixel tool on their websites. The Meta Pixel tool is a snippet of JavaScript code that is used to track visitor actions on websites, such as the forms they click and the options they select from dropdown menus. When the tool is included on healthcare providers’ websites, there is potential for the tool to transmit protected health information to Meta/Facebook, such as IP address, when a patient has scheduled an appointment and any information selected from menus, such as the medical condition that the appointment is about.

The study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection and the tool was transmitting sensitive data such as patient conditions, which could be tied to the patients through their IP addresses. The study found no evidence that Meta had entered into a business associate agreement with the hospitals, nor that consent to share patient data with Meta was obtained from patients by the hospitals and healthcare systems that used Meta Pixel.

The lawsuit was filed on behalf of patient John Doe, who is a user of Facebook and a patient of Medstar Health System in Maryland. The plaintiff said he uses the patient portal for making appointments, communicating with providers, and reviewing lab test results, and did not consent to information being shared with Meta/Facebook. Medstar Health said all patient data is secured and it does not use any Facebook/Meta technologies on its website. According to the lawsuit, at least 664 healthcare systems in the United States have added the Meta Pixel tool to their websites, which sends sensitive data to Meta.

Meta states on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” However, the lawsuit claims, “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” The lawsuit alleges the use of the tool on hospital websites without obtaining consent is a violation of the Health Insurance Portability and Accountability Act (HIPAA), as the data is collected without a business associate agreement. It should be noted that Meta/Facebook is not bound by HIPAA Rules; however, the hospitals that use the tool could be in violation of HIPAA for transferring the data without consent.

The lawsuit alleges a breach of the duty of good faith and fair dealing, and violations of federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act and Unfair Competition Law. The lawsuit seeks class action status, compensatory and punitive damages, and attorneys’ fees.

This is not the first lawsuit to be filed against Facebook over the collection of data from hospital websites. The same attorneys had a case against Facebook dismissed in 2018 – Smith et al v. Facebook – over the collection of browsing data from hospital websites. The decision was upheld by the U.S. Court of Appeals for the 9th Circuit, which ruled that the plaintiffs could not sue Facebook as they had agreed to Facebook’s contract terms.

A copy of the lawsuit was obtained by Reclaim the Net and is published here.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.