A class action lawsuit filed in the U.S. Northern District of California claims that Facebook’s pixel tracking tool mined data from the hospital’s website and violated the medical privacy of “millions of patients.” The suit follows a STAT report detailing the alleged misuse of Pixel on hospital websites.
The social media giant “knowingly receives patient data, including patient portal usage information, from hundreds of medical providers in the US who have implemented the Facebook Pixel on their web properties,” according to the lawsuit.
The information collected by the Pixel is monetized “by using it to generate highly profitable targeted advertising on and off Facebook.” So far, the legal team has identified at least 664 hospital system or medical provider websites where Pixel allegedly obtained health data for Facebook.
Lawsuit Says Facebook Pixel Violated HIPAA Rules
According to the filing, Pixel redirects patient data from “supposedly ‘secure’ patient portals,” resulting in the “incorrect and contemporaneous redirection of patient communications to Facebook.”
“When a patient contacts a healthcare provider’s website where the Facebook pixel is present on the patient portal login page… [the tracking tool] The source code causes the exact content of the patient’s communication with their health care provider to be redirected to Facebook in a way that identifies them as a patient,” according to the lawsuit.
The lawsuit claims that the data collection is done without the consent or knowledge of patients, in direct violation of federal and state laws, as well as Facebook’s contract with its users. And Facebook is allegedly aware of Pixel’s “illegal data collection.”
The plaintiff, known only as John Doe, detailed his own experience with the alleged data scraping, as a patient at MedStar Health System in Baltimore. Doe claims he used the health system’s patient portal to review lab results, schedule appointments and communicate with providers.
But when he logged into the patient portal, “Pixel, secretly displayed on the web page, sent the fact that you clicked to log into the patient portal to Facebook,” Doe alleged. The data allegedly redirected by Pixel from the patient’s device to Facebook included notifying the tool that the patient was communicating with MedStar through the health system’s website, as well as clicking to subscribe and login to the patient portal. .
The tool also allegedly informed Facebook that the patient previously reviewed breast health information on MedStar’s website, along with the patient’s IP address, identified uses of Facebook to identify patients and their devices, and “browser attribute information sufficient to fingerprint the patient’s device.”
The lawsuit argues that data tracking and scraping directly violates the Health Insurance Portability and Accountability Act, as it would require Facebook to obtain a “valid HIPAA-compliant authorization” before collecting any data.
Additionally, Doe claims that neither Facebook nor any of the hospitals that use Pixel on their websites obtained HIPAA clearances prior to implementing the tool, particularly for the disclosure of patient status and health information to the social media giant.
The lawsuit further asserts that despite knowingly receiving this health data from vendors, Facebook has failed to take action and validate the requirement that vendors obtain proper consent before providing the data to Facebook.
In addition, Facebook uses the data to sell targeted advertising “to target patients based on specific actions a patient has taken on medical provider websites” as well as interactions “in remarketing based on positive targeting” or specific advertising campaigns. target patients based on their actions on healthcare websites.
“For example, Facebook could target ads to a patient who has used the patient portal and viewed a page about a specific condition, such as cancer,” according to the lawsuit.
In short, the social media giant and its parent company, Meta, are charged with breach of contract and duty of good faith and fair dealing, along with trespass/violation, violation of the California Constitution, the privacy of federal and state electronic communications and claims of wiretapping, negligent misrepresentation, and the California Invasion of Privacy Act.
Previous allegations of Facebook collecting health data
The problem is that this certainly isn’t the first time Facebook has been accused of dubious mining or harvesting of health data from its platform.
In fact, a 2016 lawsuit claimed that Facebook compromises patient privacy, while a 2018 FTC complaint accused Facebook of misleading users about the privacy practices of “closed health groups” and argued that the platform “misleadingly solicited” patients to use Facebook’s “Groups” feature to share their personal health information.
However, Facebook allegedly failed to protect the data uploaded to these groups, possibly exposing the data to the public.
Meanwhile, a 2019 settlement with the Federal Trade Commission has settled charges that Facebook misled users about its ability to control the privacy of their data and closed a massive FTC investigation into how the platform mishandled Facebook communications. users and a massive loss of patient data.
The settlement required specific controls and notices to users about the use of their data, and later led the FTC to file a complaint with the Department of Justice with similar allegations: “Facebook repeatedly used misleading disclosures and settings to undermine user preferences.” user privacy in violation of its 2012 FTC order.”
The complaint further claimed that Facebook’s tactics allowed them to share users’ personal information with third-party applications downloaded by users’ Facebook “friends.” The state of New York launched its own investigation after these allegations came to light.