Healthcare innovation

Class Action Lawsuits Against Meta Move Forward,…

Class Action Lawsuits Against Meta Move Forward,…

Damages may be payable to any patient whose PII and PHI data was scraped by Meta Pixel. According to an Aug. 2 article from The Verge by Nicole Wetsman, Facebook’s parent company Meta and a number of U.S. hospitals violated medical privacy laws with a tracking tool that sends health information to Facebook, two proposed class-action lawsuits claim.

Wetsman reports that “The lawsuits, filed in the Northern District of California in June and July, focus on the Meta Pixel tracking tool. The tool can be installed on websites to provide analytics on Facebook and Instagram ads. It also collects information about how people click around and input information into those websites.”

A July 30 article from Bleeping Computer by Bill Toulas says that “The Meta Pixel is a piece of code that can be injected into any website to aid with visitor profiling, data collection, and targeted advertising.”

According to Toulas, the Meta Pixel takes up the space of a single pixel and assists in collecting data like button clicks, scrolling patterns, data entered in forms, and IP addresses, among others.

“This data collection takes place for all users even if they don’t have a Facebook account,” Toulas adds. “However, for Facebook users the collected data is linked to their account for deeper correlation.”

An investigated was published by The Markup in June and found that 33 of the top 100 hospitals in the U.S. use the Meta Pixel on their websites, including seven hospitals that installed it on password-protected patient portals. The investigation found that Meta Pixel was sending information about patient health conditions, medical appointments, and medication allergies to Facebook.

Westman notes that “In one of the lawsuits, a patient says that her medical information was sent to Facebook by the Meta Pixel tool on the University of California San Francisco and Dignity Health patient portals (those hospitals are also defendants in the suit). The patient then was served advertisements targeted to her heart and knee conditions, the lawsuit says.”

“The other lawsuit, from a patient at the MedStar Health System in Baltimore, Maryland, alleges that at least 664 healthcare providers have sent medical data to Facebook through the Meta Pixel,” she adds.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) requires healthcare organizations to have consent from patients to share personally identifiable health information with outside groups. Meta says that it requires groups using the Meta Pixel to have the right to share data before sending that data to Facebook and that personal health data is filtered out. The lawsuits claim that Meta knows it is not enforcing its policies and that Meta Pixel was put on organizations’ websites knowing it would collection sensitive health information.

Before the lawsuits can move forward, they will have to be certified as class actions by a judge. If either lawsuit moves forward, damages may be payable to any patient whose private personal identifying information and protected health information data was scraped by Meta Pixel.

Healthcare Innovation reached out to Richard Staynings, healthcare technology and cybersecurity strategist, for comment. He notes that “In what will likely be a double blow, the collected data was not just innocuous de-identified medical information. The data Meta received reportedly contained doctors’ names, IP addresses, and other data defined as HIPAA identifiers. It would therefore be relatively easy to reverse engineer this PHI data to determine the patient identity.”

“It seems probable, given what we know so far, that Meta Corporation could be charged with multiple breaches of HIPAA,” he says. “It also seems likely that various states Attorney Generals (AGs) will be looking very carefully to determine if the Pixel code is present in their jurisdictions on web pages where there is an expected right of privacy. This is especially so on healthcare portals. Finally, it also seems likely that Office of Civil Rights (OCR) and AGs will be looking carefully at healthcare providers to examine their policies, standards, procedures and guidelines around due diligence for acceptance of web application technologies and enabled functionality.”

Staynings’ full comments can be found here.