Earlier this summer, dual lawsuits were filed in California’s Northern District Court alleging that many of the nation’s leading hospitals and health care systems used a tracking tool, Facebook’s Meta Pixel, to scrape private medical data and personally identifying information about the website’s users.
A judge must certify both lawsuits with class-action status in order to proceed. If either gets certified, patients whose medical privacy was breached in these data scrapes can seek damages.
The premise of the plaintiffs’ lawsuits arises from information found during an investigation by The Markup, a nonprofit newsroom that focuses on the way the use of technology by powerful institutions changes society. The organization’s investigation revealed that hospitals installed the tracking tool and accessed sensitive patient medical information regarding upcoming doctor appointments, prescribed medications, and diagnosed conditions. That data was then sent to Facebook to tailor ads to the users of the social media platform.
In just one example of how this might affect Facebook users, it’s no coincidence if patients diagnosed with chronic obstructive pulmonary disease (COPD) by physicians from one of the named hospitals are inexplicably bombarded on their Facebook pages with ads related to that condition.
The investigators chose the country’s top 100 hospitals, as per Newsweek, to check for the use of the Meta Pixel. The tracker was installed in a full third of the listed health care institutions.
Each time a Facebook user accessed the hospitals’ online portals to schedule physician appointments, packets of data were sent to Facebook. The identifying information included the IP address of the user. Since an IP address is traced to a physical location, the veil of privacy for the patient user was particularly thin and likely a breach of federal Health Insurance Portability and Accountability Act of 1996 (HIPAA) regulations.
These civil lawsuits could also lead to criminal charges by the state’s attorney general for alleged HIPAA violations if private and sensitive patient data is proven to have been used without the proper consent of the patients.
The Office of Civil Rights (OCR) could also investigate the way health care providers secure their patients’ privacy and enforce their best practices to assure the highest standards of care get upheld.