A class action lawsuit has been filed in the Northern District of California against Meta (Facebook), the UCSF Medical Center, and the Dignity Health Medical Foundation, alleging that the organizations are unlawfully collecting sensitive healthcare data about patients for targeted advertising.
This tracking and data collection allegedly takes place in medical portals beyond login walls, where patients enter highly sensitive information about themselves, their conditions, doctors, prescribed medication, and more.
According to the lawsuit, neither the hospitals nor Meta informs the patients about the data collection, no user consents are requested, and there is no visible indication of this process.
The plaintiffs realized the violation of their privacy when Facebook, the social media platform belonging to Meta, began targeting them with advertisements tailored explicitly for their medical condition.
Meta Pixel
The Meta Pixel is a piece of code that can be injected into any website to aid with visitor profiling, data collection, and targeted advertising.
It takes up the space of a single pixel, hence the name and stealthiness, and helps collect data such as button clicks, scrolling patterns, data entered in forms, IP addresses, and more.
This data collection takes place for all users even if they don’t have a Facebook account. However, for Facebook users the collected data is linked to their account for deeper correlation.
Because the Meta Pixel is installed on numerous sites, users will be tracked and targeted with specific ads on multiple internet locations.
A recent investigation by The Markup found Meta Pixel in 30% of the top 80,000 most popular websites, including several anti-abortion clinics and other healthcare providers.
The lawsuit claims that Meta’s tracking code is present on 33 websites of the top 100 hospitals in the United States, and in seven cases, the code runs beyond password-protected patient portals.
According to the complaint, the 33 hospitals found to have the Meta Pixel collectively admitted over 26 million patients and outpatient visits in 2020 alone.
Privacy violation
In examples in court documents, patients received targeted advertisements on Facebook and also over email, promoting ailments and medical services with no scientific support.
Most importantly, the plaintiffs felt violated as they had never agreed to the collection of sensitive medical data, let alone for it to be used in targeted advertising.
Meta even contains a provision for this in its data privacy policy, stating that its partners (hosts of the Meta Pixel) must have lawful rights to collect, use and share users’ data before handing it over to the advertising giant.
However, as mentioned in the complaint: “Healthcare Defendants do not have the legal right to use or share Plaintiffs’ and Class members data, as this information is protected by the Health Insurance Portability and Accountability Act of 1996’s (“HIPAA”) Privacy Rule, which protects all electronically protected health information a covered entity like Healthcare Defendants “create[], receive[], maintain[], or transmit[]” in electronic form.”
As such, both Meta and the healthcare providers are accused of knowing that their data collection operation was unlawful, yet they continued to do it and concealed it from the tracked individuals.
Meta’s efforts filter out sensitive medical information from the collected data have been proven ineffective, according to both The Markup and the New York State Department of Financial Services that looked into this matter back in February 2021.
In conclusion, the plaintiffs, on behalf of anyone in a similar situation, seek claims for relief relevant to the invasion of privacy, violation of medical information confidentiality, unjust enrichment, breach of contract, Computer Data Access and Fraud Act (CDAFA), and also the Federal Wiretap Act.
Source: www.bleepingcomputer.com