Meta Faces Another Lawsuit Over Health Data Privacy Practices

August 01, 2022 - Meta is facing another lawsuit over its health data privacy practices. As previously reported, a report co-published by The Markup and STAT alleged that Meta (the parent company of Facebook) used its Meta Pixel tracker to scrape hospital websites for health data.

The report found evidence that the Meta Pixel, a portion of JavaScript code that allows websites to track visitor activity, was being used on hundreds of hospital websites. When the tracker was present within password-protected patient portals, it allegedly sent packets of data to Facebook whenever someone clicked a button to schedule a doctor’s appointment.

Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address.

According to Meta, the Meta Pixel can collect anything present in HTTP headers, button click data, form field names, and more. The Markup tested the websites of Newsweek’s top 100 hospitals in America and found the Meta Pixel on about a third of them. In fact, the Meta Pixel is present on more than 30 percent of the most popular websites, the report found.

Meta is already facing at least one other lawsuit, which alleged that the company violated Facebook’s duty of good faith and fair dealing rules, the federal Electronic Communications Privacy Act, and California’s Invasion of Privacy Act and Unfair Competition Law.

The latest lawsuit, filed by a Jane Doe who was a patient at UCSF Medical Center and Dignity Health Medical Foundation, similarly claimed that Meta harvested her health data when she entered her information into the hospitals’ patient portals.

The plaintiff alleged that Meta used her data for profit “when it allowed pharmaceutical and other companies to send her targeted advertising related to her medical conditions.”

“With the tracker present within password-protected patient portals, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address,” the lawsuit stated.

“Meta knows that the User Data collected through its Pixel on Healthcare Defendants’ websites includes highly sensitive medical information but, in reckless disregard for patient privacy, continues to collect, use, and profit from this information.”

Meta did not appear to have HIPAA business associate agreements (BAAs) in place with the hospitals in question. The lawsuit alleged that Meta deceived the public into believing that their data was kept private. The plaintiff argued that Meta’s violations were “willful, deceptive, unfair, and unconscionable.”

The plaintiff is seeking compensatory damages from Meta. The data privacy issues raised in the lawsuit highlighted concerns over third-party vendor relationships and the need to regulate health data privacy practices outside of HIPAA-covered entities.