3rd Party Risk Management , Fraud Management & Cybercrime , Governance & Risk Management
Facebook Slapped With Another Health Data Privacy LawsuitProposed Class Action Claims Meta Pixel Tracks Sensitive Patient Info
Facebook faces the prospect of another federal class action lawsuit alleging it collects millions of individuals' sensitive health data from healthcare provider websites without patients' knowledge or consent.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
The social media giant's data collection practices - already under heavy scrutiny - have come under even greater scrutiny in the fallout of the Supreme Court's overturning of Roe v. Wade, the five-decade judicial precedent that guaranteed nationwide access to abortion. Reproductive health and privacy experts have warned that law enforcement may attempt to collect information about abortions through digital footprints left online and in smartphones.
The latest privacy litigation comes from a Jane Doe patient of UCSF Medical Center and Dignity Health Medical Foundation who alleges Facebook parent Meta harvested sensitive medical data without her consent when she entered her information on the San Francisco medical center's online patient portal.
Embedded into the portal is the Meta Pixel code, Doe said in her putative class action, filed Monday in the District of Northern California. The lawsuit follows a similar lawsuit filed last month in the same court by "John Doe," a patient of MedStar Health in Maryland (see: Lawsuit: Facebook is Collecting Patient Data of 'Millions').
Similar to the claims in the other lawsuit, "Jane Doe" - a Facebook user since 2012 and a Sacramento, California resident - alleges Meta violated more than a dozen federal and California privacy-related laws and regulations. She accuses the social media company and the medical center of breach of contract, unjust enrichment and other claims.
The lawsuit is seeking damages, as well as "injunctive and other equitable relief as the Court deems just."
Among other claims, Jane Doe's lawsuit alleges that her privacy was violated when her user data was used "for profit by Meta" to allow pharmaceutical and other companies to send her targeted advertising related to her medical conditions.
Regulatory attorney Rachel Rose, who is not involved in the Meta litigation, says several allegations in the Jane Doe lawsuit stand out.
Those include Meta allegedly deploying technology and tracking information obtained from hospital websites that contained patient information without the individuals' knowledge or consent and without a HIPAA business associate agreement in place between Meta and the hospitals.
HIPAA regulates uses of protected heath information, and the use of PHI for marketing purposes without patients' written authorization is prohibited, with limited exceptions.
The lawsuits against Meta also spotlight other important restrictions, including issues pertaining to third-party software used by other healthcare organizations and their vendors that handle PHI, Rose says.
"HIPAA requires that covered entities and business associates know the avenues of ingress and egress for PHI and sensitive personally identifiable information," she says.
The unauthorized access, use or disclosure of PHI by third parties also pose issues ranging from potential breaches and class action lawsuits to government enforcement actions, which may rise to the level of criminal conduct, she says.
The Department of Justice in the past has criminally prosecuted individuals for illegally accessing PHI and selling it or repackaging it for financial gain.
"I don't see this as being any different because the patients [allegedly] did not have knowledge or give consent, which is usually done with an express provision in a HIPAA authorization, that the information is being sold. Patients have the right to decline and also opt out later."
USCF Medical Center declined Information Security Media Group's request for comment on the lawsuit, saying the organization does not comment on pending litigation.
Neither Dignity Health nor Meta immediately responded to ISMG's requests for comment on the litigation.
Privacy by Design
Privacy attorney David Holtzman of the consulting firm HITprivacy LLC says "privacy by design assessments" might have better informed decisions by healthcare organizations on how applications, such as Meta’s Pixel tracking tools, are used with their websites and portals.
"In my experience, it is common for healthcare organizations to install or allow third-party applications to collect or analyze users' data on their internet-facing websites and patient portals through use of tracking tools," he says.
"Perhaps what we are learning now is that there was a general failure to employ privacy by design that might have brought to light an understanding of how sensitive or personally identifiable information collected for healthcare treatment was used or disclosed."