A class-action lawsuit has been filed against Meta for allegedly scraping PHI from hospital and medical provider websites. The case was filed in the Northern District of California by John Doe, a patient of the Medstar Health System in Baltimore, Maryland. Doe accused Meta of violating the standards of the Health Insurance Portability and Accountability Act by knowingly obtaining Protected Health Information without authorization from at least 664 medical providers using the Facebook Pixel tool on their websites.
The lawsuit claims that Meta creates targeted adverts by improperly using their Pixel tracking tool on hospital patient portals to redirect Protected Health Information to Facebook. The lawsuit asserts that Facebook’s user agreement and federal and state laws are all directly violated by the unauthorized data collection. John Doe explicates his personal encounter with the alleged data scraping. As a patient of the Baltimore-based MedStar Health System, the plaintiff claims that after signing into the website’s patient portal to view his information, his data was redirected by Pixel from his personal device to Facebook. The information redirected included informing the tool that the patient had subscribed to and logged into the patient portal, information regarding his previous uses, his IP address, as well as communicated with MedStar via the health system’s website.
The lawsuit also contends that despite intentionally obtaining health information from medical providers’ websites, Meta hasn’t required providers to obtain the appropriate authorization prior to disclosing the information to Facebook. The social media giant does not require healthcare providers to have legal authority to share Protected Health Information from their own patient portals to Facebook. Instead, Facebook includes a clause in its standard contract which establishes an honor system for publishers. Under this system, publishers are expected, not required, to provide sufficient notices to their users concerning Pixel’s data collection and disclosures. Meta may be required to update their privacy policies if they are found guilty of the allegations.
This is not the first complaint Meta has received regarding improperly collecting health data. In 2016, Meta was accused of compromising patient privacy. In 2018, the Federal Trade Commision accused Meta of misleading users regarding the privacy policies of “closed health groups”. Significantly, a 2019 settlement with the Federal Trade Commision required Meta to implement specific controls and notices for users concerning its data use. The settlement came after Meta was mishandling user communications and deceiving users of their ability to protect their data privacy.