Facebook’s HIPPA Violation

 Lawsuit Against Facebook  For Wrongly Collecting Patient Data 

Meta Platforms is facing a potential class-action lawsuit for allegedly using its Pixel tracking tool to get patient information from hospital portals for target marketing purposes. Allegedly, Facebook wrongly tracked patient information of at least 664 hospital systems or medical provider websites, according to a class-action lawsuit filed in federal court.

Kiesel Law LLP filed the case in the U.S. District Court for the Northern District of California. The plaintiff is identified as “John Doe,” described as a Maryland resident, Facebook user, and a patient of MedStar Health Inc. The lawsuit said that the patient used that company’s patient portal to view medical records and lab results “and otherwise communicate with his provider” during the time my MedStar portal had Facebook Pixel deployed on its login page. MedStar was not named as a party in the court case. 

He requests class-action status and a jury trial. The case was filed a day after The Markup found that 33 of the top 100 hospitals in the United States were using a Meta Pixel tracker on their websites. Installing the Meta Pixel gives groups access to analytics about Facebook and Instagram ads analytics. It also tracks how people use their websites: the buttons they click, the information they put in forms, and so on. The action has been assigned to Judge Nathanael M. Cousins and the Alternative Dispute Resolution Multi-Option Program. The initial case management conference is set for September 21 in San Jose, California.

WHAT THE LAWSUIT CLAIMS

Under HIPAA, hospitals cannot share identifiable health information with third parties without patients’ consent. They can use and share anonymized data (and often do). But information linked to an IP address can classify data as identifiable health information, which has additional protections. 

The court document said that patient data is protected by HIPAA and requires valid HIPAA-compliant authorisation before Facebook collects it. The lawsuit claims breach of contract, violations of good faith and fair dealing, invasion of privacy, federal and state privacy laws and state unfair competition law, and negligent misrepresentation by Facebook parent company Meta Platforms Inc. It seeks unspecified compensatory and punitive damages but noted the “amount in controversy” exceeds $5 million.

The Pixel tracking tool is being improperly used on hospital patient portals, resulting in a “wrongful redirection” to Facebook of patient communications to register, sign in or out, request or set appointments, or call the provider via their computer devices, the lawsuit said. “This unlawful collection of data is done without the knowledge or authorisation of the patient, like plaintiffs, in violation of federal and state laws as well as Facebook’s contract with its users,” the court document said. “When a patient communicates with a healthcare provider’s website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient’s communication with their healthcare provider to be redirected to Facebook in a fashion that identifies them as a patient.”

The legal complaint said: “When a patient communicates with a health care provider’s website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient’s communication with their health care provider to be redirected to Facebook in a fashion that identifies them as a patient.”

The lawsuit acknowledged Facebook requires businesses that use Pixel must have lawful rights to collect, use and share data. But in reality, Facebook does not need medical providers to have patient consent, and its contract for medical providers does not mention patient privacy rules of the federal Health Insurance Portability and Accountability Act of 1996 known as HIPAA. Facebook then used the patient information “to generate highly profitable targeted advertising on and off Facebook,” according to the lawsuit.

Facebook allegedly monetises the information by using it to generate profitable, targeted advertising on and off Facebook and to target patients based on their actions on the providers’ websites.  The social media network also offered “remarketing,” serving specific ad campaigns to patients based on patients’ online interactions with the health care websites. “For example, Facebook could target ads to a patient who had (1) used the patient portal and (2) viewed a page about a specific condition, such as cancer,” or could exclude patients from receiving certain ads, the lawsuit said.

IN THE NEWS

The lawsuit followed a June 16 report co-published by the non-profit The Mark-up, a technology watchdog media organization working with STAT medical news. The Mark-up tested websites of Newsweek’s top 100 hospitals in America and found 33 were using the Facebook Pixel online tracker, also called the Meta Pixel. The Mark-up investigated Facebook data from actual patients who volunteered for its Pixel Hunt project, a collaboration with Mozilla, the developer of the Firefox Browser for the Internet.

The Mark-up was unable to determine whether or how Facebook used the data. A Meta spokesperson told The Mark-up that Facebook has filters that detect and remove sensitive health data sent from businesses. It’s unclear if the data transmitted by hospital websites was or was not caught by those filters. But the filters don’t always work as described. Another investigation from The Mark-up found that details about people looking for information about abortion or emergency contraceptives (which are not supposed to be sent to Facebook) made their way through to the platform.

THE LARGER TREND

In September 2020, a federal judge dismissed a lawsuit against the University of Chicago Medical Center and Google over data sharing.

In 2017, The University of Chicago, the University of Chicago Medical Center and Google began a research partnership in which they used machine-learning techniques to create predictive health models to reduce hospital readmissions. As part of the research, the University de-identified electronic medical records of adult patients, the court document said. 

The judge said the plaintiff received a disclaimer from The University of Chicago Medical Center on sharing information for research purposes. The court dismissed the plaintiff’s claim of breach of contract and requested monetary damages.