Another lawsuit has been filed against Meta by a patient who claims her private healthcare information was collected without consent and was used to serve targeted advertisements related to her medical condition.
The plaintiff, Jane Doe, was a patient of UCSF Medical Center and the Dignity Health Medical Foundation, who have also been named in the lawsuit. The case stems from the inclusion of Meta Pixel on web pages behind a login on the patient portals used by the healthcare providers. Meta Pixel is a snippet of JavaScript code for tracking what visitors do on websites. The code will collect data from HTTP headers, Pixel-specific data, button click data, optional values, and form field names.
The problem with the use of the code on healthcare websites, especially on patient portals where sensitive data is disclosed, is healthcare data is protected under the Health Insurance Portability and Accountability Act (HIPAA), and uses and disclosures of healthcare data are restricted. It is not permissible to disclose the protected health information of individuals for reasons other than the provision of healthcare, payment for healthcare, or healthcare operations unless consent is obtained. Any company that receives protected health information is classed as a business associate and is required to sign a business associate agreement and is then bound by the HIPAA Regulations.
Meta Pixel collects data from form fields, so if a patient were to book an appointment on a website and click an option in the drop-down menu – such as the reason for an appointment – that may disclose information about the patient’s medical condition. Earlier this year, an investigation was conducted by The Markup into the use of Meta Pixel on hospital websites. The researchers looked at the top 100 hospitals in the United States and found that 33 of them had used Meta Pixel on their websites, and 7 had Meta Pixel behind patient portals.
The issue here is one of consent. The information is being collected without patients being informed, and the information is being used without consent. Meta is also not entering into business associate agreements, which puts the hospitals that use Meta Pixel at risk of fines by regulators for non-compliance with HIPAA. Earlier this year, a lawsuit was filed by a patient of MedStar Health that made similar allegations against Meta.
The latest lawsuit, which includes 16 claims, alleges invasion of privacy, unjust enrichment, breach of contract, breach of implied contract, intrusion upon seclusion, and violation of medical information confidentiality.
It is not possible to sue for a HIPAA violation, and while HIPAA violations have been alleged, the lawsuit has been filed for alleged violations of the Californian Constitution, California Confidentiality of Medical Information Act, California Business and Professions Code, California Invasion of Privacy Act, the Comprehensive Computer Data Access and Fraud Act, and the Federal Wiretap Act.
The lawsuit claims that these violations have caused the plaintiff and class members irreparable and incalculable harm and injuries, and seeks damages, injunctive and equitable relief.