Website Tracking Lawsuit Against Orlando Health Survives Motion to Dismiss
A lawsuit against Orlando Health in Florida over the disclosure of the plaintiff’s data to third parties via tracking tools on its website has survived a motion to dismiss. The plaintiff alleged that after visiting the website of Orlando Health and performing medical searches she was targeted with Facebook ads specific to her medical conditions.
The plaintiff researched conditions such as fatty liver disease, heart problems, and ileostomy on the Orlando Health website and was later displayed advertisements on Facebook about ileostomy bags, treatments for heart failure, and services from neurologists at Orlando Health. The plaintiff believes the advertisements she saw were a direct result of the searches on the Orlando Health website, and the tools that allowed targeted advertising were largely invisible. She alleged that the tracking code sent a copy of the data she entered on the website to third parties such as Meta and Google in real-time without her knowledge or consent, and then the information was used to try to sell her products and services based on the intercepted communications.
Website tracking technologies are extensively used on websites. While the tools can be used to collect visitor data and improve the quality of websites, they also collect user data for advertising purposes, such as targeted adverts when visitors leave the website and browse the web. The HHS’ Office for Civil Rights issued guidance for HIPAA-regulated entities on the use of these tools, which OCR said could violate HIPAA. The guidance was challenged in court and was partially rescinded, and while tracking tools on websites do not violate HIPAA when they are added to unauthenticated web pages, they cannot be used on authenticated websites unless consent is obtained or a business associate agreement is signed with the provider of those tools.
The lawsuit – W.W. v. Orlando Health – was filed not over a HIPAA violation but for a violation of a Florida wiretap law – the Florida Security of Communications Act (FSCA) – which prohibits the intentional interception of electronic communications. Orlando Health attempted to have the case dismissed, claiming it only tracked metadata, and not the content of any communications. Judge Julie S. Sneed disagreed.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Orlando Health encouraged patients to search for medical conditions on its website, communicate their medical symptoms, and access its MyChart patient portal and appointment booking system. The search terms used by individuals on the website represent more than just website browsing, as they communicate sensitive information about health conditions. As such, Judge Sneed ruled that the communications fall under the definition of communications under FSCA.
Judge Sneed determined that the plaintiff successfully alleged the three requirements for an FSCA claim, namely that Orlando Health intercepted her electronic communications, those interceptions captured protected contents covered by the statute, and because the tracking tools were hidden from website users, that the communications were intercepted without the plaintiff’s knowledge. Judge Sneed did dismiss one of the claims in the lawsuit, invasion of privacy by intrusion upon seclusion, on the grounds that Florida law requires such a claim to involve intrusion into a private place rather than a private activity.
