Lawsuit claims Facebook wrongly collects patient data through health system, hospital websites

Facebook wrongly tracked patient information of at least 664 hospital systems or medical provider websites, according to a class action lawsuit filed in federal court.

The case was filed a day after a news report this month claimed the social media network was “receiving sensitive medical information from hospital websites” through its Pixel tracking tool installed on hospital websites.

The lawsuit claims breach of contract, violations of good faith and fair dealing, invasion of privacy, violations of federal and state privacy laws and state unfair competition law, and negligent misrepresentation by Facebook parent company Meta Platforms Inc. It seeks unspecified compensatory and punitive damages, but noted the “amount in controversy” exceeds $5 million.

How it works

The legal complaint said: “When a patient communicates with a health care provider’s website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient’s communication with their health care provider to be redirected to Facebook in a fashion that identifies them as a patient.”

The lawsuit acknowledged Facebook requires businesses that use Pixel must have lawful rights to collect, use and share data. But in reality, Facebook does not require medical providers to have patient consent and its contract for medical providers does not mention patient privacy rules of the federal Health Insurance Portability and Accountability Act of 1996, known as HIPAA. Facebook then used the patient information “to generate highly profitable targeted advertising on and off Facebook,” according to the lawsuit.

The social media network also offered “remarketing,” serving specific ad campaigns to patients based on patients’ online interactions with the health care websites. “For example, Facebook could target ads to a patient who had (1) used the patient portal and (2) viewed a page about a specific condition, such as cancer,” or could exclude patients from receiving certain ads, the lawsuit said.

The case was filed by Kiesel Law LLP in U.S. District Court for the Northern District of California. The plaintiff is identified as “John Doe,” described as a Maryland resident, Facebook user, and aa patient of MedStar Health Inc. The patient used that company’s patient portal to view medical records, lab results, “and otherwise communicate with his provider,” during the time the myMedStar portal had Facebook Pixel deployed on its login page, the lawsuit said. MedStar was not named as a party in the court case.

In the news

The lawsuit followed a June 16 report copublished by nonprofit The Markup, a technology watchdog media organization, working with STAT medical news.

The Markup tested websites of Newsweek’s top 100 hospitals in American and found 33 were using the Facebook Pixel online tracker, also called the Meta Pixel. The Markup investigated Facebook data from real patients who volunteered for its Pixel Hunt project, a collaboration with Mozilla, developer of the Firefox Browser for the Internet.

The Markup was unable to determine whether or how Facebook used the data. Meta Platforms did not respond to questions about that report, but offered a statement from a representative stating potentially sensitive data will be removed before it was stored in ad systems.

Meta Platforms did not respond to a Medical Economics inquiry about the lawsuit on June 28.