Meta faces another class action lawsuit over use of Meta Pixel code on hospital websites

Meta is facing another class action lawsuit for illegally collecting and sharing health data without content. The lawsuit was filed in the Northern District of California on behalf of plaintiff, Jane Doe. The lawsuit alleges that Meta and its companies, including Facebook, collected sensitive health data from millions of patients without obtaining their express consent and used that information to serve individuals with targeted advertisements.

Jane Doe was a patient of UCSF Medical Center and the Dignity Health Medical Foundation and claims her sensitive health was illegally obtained by Meta when she entered the information into the UCSF Medical Center online patient portal . UCSF Medical Center had added the Meta Pixel code to the patient portal web pages. Meta Pixel is a snippet of JavaScript code used to track website visitors. The code records and transmits to Meta the web pages a user visits. If the code is present on a web page with a form, such as those used for booking appointments, the selections from the drop-down lists are saved and transmitted. These selections could indicate a patient’s medical condition or the reason an appointment was made.

One of the targeted Facebook ads served Jane Doe. Source: Jane Doe c. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center and Dignity Health Medical Foundation.

Jane Doe said she had used Facebook since 2012 and alleged that her privacy had been breached because her information was collected and used without her consent. The information entered on the form was used by Meta to offer him targeted advertising related to his state of health. The lawsuit alleges a violation of HIPAA because neither UCSF Medical Center nor the Dignity Health Medical Foundation had entered into a trade association agreement with Meta or Facebook, and at no time did Meta, Facebook, or the hospitals obtained content or informed patients that their information was being provided to Meta to serve targeted advertisements.

Under HIPAA, healthcare providers are permitted to disclose an individual’s protected health information to another HIPAA-covered entity or third-party provider for reasons related to processing, payment, or to health care operations, and in such cases consent is not required from the patient. . Most other disclosures require a HIPAA-covered entity to enter into a business association agreement with the third party prior to any disclosure of PHI, and content is required of individuals whose PHI is disclosed.

There is no private right of action in HIPAA, so it is not possible for individuals to sue their healthcare providers for HIPAA violations, but there are often equivalent federal and state laws that have a private right of action. In this case, the lawsuit makes sixteen claims, including common law invasion of privacy – intrusion into solitary confinement, invasion of privacy, breach of contract, breach of implied contract, unjust enrichment, and violations of California Constitution, California Confidentiality of Medical Information Act (CMIA), California Business and Professions Code, California Invasion of Privacy Act, Comprehensive Computer Data Access and Fraud Act and Federal Wiretap Act.

The lawsuit alleges that plaintiff and class members suffered damages and losses as a result of defendants’ conduct, which deprived plaintiff and class members of control of their valuables, ability to obtain compensation for their data, the ability to prevent the sale of their data, and that the breaches have resulted in irreparable and incalculable harm and injury. The lawsuit seeks damages and injunctive and equitable relief.

The lawsuit makes similar allegations to another lawsuit brought against Meta, in this case by plaintiff John Doe, who was a patient at MedStar Health in Maryland. The Markup recently conducted a survey on health data sharing with Meta/Facebook via Meta Pixel on hospital websites and found that 33 of the top 100 hospitals in the United States had the Meta Pixel code on their websites, and 7 hospitals had the code installed on their patient portals behind the logins, but consent to data sharing was not obtained.