It used to be that in a world full of malware and spy technology designed to harvest our personal data, one of the few places that federal law made the public feel protected was the doctor’s office. But imagine that, after disclosing sensitive information about your medical conditions in an online portal for a prominent health care facility, you started to receive targeted advertisements for related medications and treatments on your Facebook page, in your email inbox and in text messages.
That’s exactly what allegedly happened to one Jane Doe, a patient at UC San Francisco Medical Center, who filed a lawsuit this month against Meta, the parent company of Facebook. (Jane Doe v. Meta Platforms Inc., et al., (2022) No. 3:22-cv-04293, filed in the U.S. District Court for the Northern District of California.) The proposed class action filed in California federal court claims that Meta’s tracking software secretly harvested confidential medical data on Doe’s heart and knee problems to bombard her with targeted ads for medications and other cures.
Another California plaintiff sued Meta this month claiming that her communications with UCLA Health and UCLA Reagan Medical were also harvested and shared with third parties in the summer of 2022 (Doe v. Meta Platforms Inc. (2022), No. 3:22-cv-04680, filed in the U.S. District Court for the Northern District of California). The suit claims that Facebook intercepted her communications with UCLA’s Reagan Medical Center, including the information that she submitted on the appointment scheduling page.
“Americans expect and deserve for their communications with health care providers to be private,” the complaint reads.
The suit — filed on Aug. 22, also in the Northern District Court of California — alleges Facebook abused the Metal Pixel, an online tracking tool that the plaintiffs said tracked their activity across various websites.
So what is a Meta Pixel? It’s a snippet of code that is installed on many hospitals’ websites and collects patients’ sensitive health information—including medical conditions, prescriptions, doctor’s appointments and more. Once it is collected, the information is transferred to Facebook.
A recent investigation into Meta Pixel tracking done by The Markup found that 33 of Newsweek’s top 100 hospitals used the tracker, submitting a giant swath of data to Facebook. Even within password-protected patient portals, the tracker can harvest packets of data whenever someone clicks a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address.
UCLA Reagan was among the hospitals found to have used Meta Pixel, though it’s since been removed from the appointment scheduling page after being contacted by The Markup.
Meta itself is not subject to Health Insurance Portability and Accountability Act of 1996 laws governing the privacy of medical data. Even though it’s not a HIPAA-covered entity, Meta would need to have a HIPAA business associate agreement (BAA) in place in order to handle private health information.
In the past, federal courts have seen this form of data collection as a legal gray area. In 2016, a group of plaintiffs sued Facebook (Smith v. Facebook (2016), No 5:16-cv-01282, filed in the U.S. District Court for the Northern District of California) and a collection of health systems and organizations, claiming that the organizations violated their privacy policies and several state and federal laws—including wiretapping and intrusion on seclusion statutes—when they allowed Facebook to collect data from the health care providers’ websites using tracking technology.
A federal judge dismissed that case in 2017, holding that the plaintiffs failed to prove that Facebook had collected “protected health information” as defined by HIPAA. The court instead reasoned that Facebook was tracking plaintiffs on public-facing pages of the websites—such as the homepage or informational pages about diseases, where it was unlikely that the plaintiffs had established a patient relationship with the provider.
However, in 2019, the Federal Trade Commission (FTC) hit Facebook with a $5 billion penalty and required it to submit to new restrictions and requirements to hold the company accountable for its data privacy decisions.
According to Facebook’s Terms of Service, data shared with the Meta Pixel will only be what is legally allowed. That includes anything present in HTTP headers, button click data, and form field names.
Currently the Meta Pixel can be found on about 30 percent of the most popular sites on the web, according to The Markup’s report.
In exchange for installing the tracking code, Meta hands over analytics to website owners about the ads they’ve paid for on Facebook and Instagram, as well as tools to target customers who’ve visited their websites.
“Meta knows that the user data collected through its Pixel on healthcare defendants’ websites includes highly sensitive medical information but, in reckless disregard for patient privacy, continues to collect, use, and profit from this information,” according to the complaint against Meta by the UCSF Medical Center patient Jane Doe.
The suit argues that Meta and the health care companies breached invasion of privacy laws, illegally enriching themselves by profiting from the scraping of sensitive medical data, which is a violation of California’s Confidentiality of Medical Information Act.
In the case of the UCLA Jane Doe patient, the plaintiff is seeking $5 million in damages for illegal interception of private health care information and breach of contract.
“Facebook allows and encourages healthcare providers to install the Meta Pixel on their websites even though the type of information collected by the Meta Pixel on a healthcare provider website will include protected health information,” the complaint says. “Facebook then earns additional revenue selling advertising space to health care providers who target audiences based on data containing protected health information collected through the Meta Pixel.”
Representatives for Meta, the health care facilities and the plaintiffs involved in the class action suits did not immediately respond to requests for comment.
In the suit against UCLA, the plaintiff alleged that her rights to privacy were violated by Meta, including violations of the federal Electronic Communications Privacy Act, California’s Invasion of Privacy Act and Unfair Competition Law, in addition to a breach of duty of good faith and fair dealing.
The suit also claimed that “neither Facebook nor any of the hospitals that deployed the Facebook Pixel on their web properties procured HIPAA authorizations for the disclosure of patient status and health information to Facebook.”
“Facebook’s collection of patient status and the content of patient communications with their medical providers, including when they register, log-in and logout of patient portals and to set up appointments, in the absence of a HIPAA authorization violates Facebook’s privacy promises to users,” the filing continued.
The plaintiff alleged that Facebook knowingly received patient data and failed to take action “to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.”
Though it’s unclear exactly how extensive Meta’s harvesting of medical data has spread, the plaintiffs in these cases say the company’s covert tactics are operating all over the U.S. at a higher level than the public could ever imagine.
“Facebook is also aware of every web property where the Facebook Pixel is deployed and fully capable of conducting the same types of expert analysis that Plaintiffs conducted to identify at least 664 hospitals or medical provider properties where the Facebook Pixel is present,” the UCLA Jane Doe lawsuit alleged.