Kroger Faces Lawsuits For Sharing Health Data With Meta Via Tracking Pixel Use

November 30, 2023 - Grocery chain Kroger is facing two class action lawsuits tied to its use of tracking technologies. Both lawsuits alleged that Kroger pharmacy patients were not informed that their health data was being shared with third parties, such as Meta.

As previously reported, healthcare organizations and other entities that maintain health data have been under scrutiny for the past year over their use of third-party tracking technologies. Healthcare organizations may initially install these tools to measure and evaluate website visitor trends, but the tools may also disclose sensitive information to the tech companies that offer them.

The first lawsuit against Kroger, filed on November 10 in the US District Court of the Southern District of Ohio, alleged that the information patients provided to Kroger was being intercepted by tech companies thanks to the presence of tracking pixels.

“Plaintiff and Class Members used the Website to submit information related to their prescriptions. The Private Information unauthorized third parties received revealed individual patients’ identities and details about the confidential health care they sought and received from Defendant, including the name of their prescription medications, dosage and form of the medication, and more,” the filing stated.

“In turn, these disclosures allow third parties to reasonably infer that a specific. patient was being treated for a specific type of medical condition such as cancer, pregnancy, HIV, mental health conditions, and an array of other symptoms or conditions.”

The plaintiff suggested that this personal information could have been connected directly with a patient’s individual Facebook profile. The lawsuit alleged that Kroger had breached its statutory and common law obligations to patients, despite clearly defined rules under HIPAA and the Federal Trade Commission’s guidance.

“Despite these clear laws and regulations, Defendant has essentially planted a bug on patients’ web browsers that forced them disclose private and confidential Communications to third parties,” the plaintiff suggested.

“Kroger’s utilization of the Tracking Tools to secretly track and share with third parties its users’ Communications on its Website is the electronic equivalent of looking over the shoulder of each visitor for the entire duration of their Website interaction. Defendant did not disclose the presence of these Tracking Tools to Website users filling prescriptions with Kroger.”

The second lawsuit, filed on November 13, made similar allegations about Kroger’s misconduct. The plaintiff suggested that class members had suffered numerous injuries as a result, such as invasion of privacy and diminution of the value of their private information.

The plaintiff alleged that Kroger violated the Electronic Communications Privacy Act and had committed negligence, breach of implied contract, and breach of fiduciary duty.

This is far from the first lawsuit filed in relation to third-party tracking tech. In fact, law firm BakerHostetler’s 2023 Data Security Incident Response Report (DSIR) observed more than 50 tracking tech-related lawsuits being filed against hospital systems in 2022 alone.

As this tension continues, lawsuits will likely continue to surface, answering key questions about how data flows through healthcare organizations and interacts with third-party tracking tech.