After it was discovered that Meta’s Pixel data was tracking patients’ sensitive medical information, they’re now facing a lawsuit.
A man is suing Meta because there’s a potential that thousands of patients’ information is being stored. The data extends to patient portals which are supposed to be secure.
According to the lawsuit, which was filed in San Francisco federal court, Meta violated federal and state laws. The Health Insurance Portability and Accountability Act (HIPA) law, and other state and federal laws, are likely violated because patients didn’t consent to the information transfer and didn’t have knowledge that it was happening.
The plaintiff, named John Doe in the suit, says that he, as well as millions of other patients, had their right to privacy violated by Meta and alleges the federal Electronic Communications Privacy Act, California’s Invasions of Privacy Act and Unfair Competition Law, and a breach of Facebook’s duty of good faith and fair dealing was violated.
The lawsuit states, “patient status is protected by HIPAA, which requires a valid HIPAA-compliant authorization before it is collected by Facebook.”
The lawsuit also says that “neither Facebook nor any of the hospitals that deployed the Facebook Pixel on their web properties procured HIPAA authorizations for the disclosure of patient status and health information to Facebook.”
Information is sent from businesses to Facebook through Meta Business Tools like Meta Pixel and Facebook “require[s] each of these partners to have lawful rights to collect, use, and share your data before providing data,” but because Facebook knew they were receiving sensitive medical information and didn’t attempt to enforce or validate their requirements, they may have broken the law.
Facebook also uses “The Facebook Crawler,” which scans partner apps and websites and gathers information including titles and descriptions. The lawsuit says that Facebook knows this data includes patient information.
The lawsuit said, “Facebook’s collection of patient status and the content of patient communications with their medical providers, including when they register, log-in and logout of patient portals and to set up appointments, in the absence of a HIPAA authorization violates Facebook’s privacy promises to users.”
It was discovered that Meta was collecting data when the Markup investigated Newsweek’s top 100 hospitals and found that 33 of them were using Meta’s program. When they were contacted, only seven took the function off of their patient portals.