Governance & Risk Management , HIPAA/HITECH , Privacy

Lawsuit Alleges Iowa Health Center Sent PHI to Facebook

Latest in a String of Similar Proposed Class Actions Against Other Firms
Lawsuit Alleges Iowa Health Center Sent PHI to Facebook
The University of Iowa Health Care is facing a proposed class action lawsuit alleging it used website tracking pixels to transmit patient data to Facebook. (Image: UIHC)

The University of Iowa Health Care is facing a proposed class action lawsuit from a patient who alleges that online tracking tools embedded into the medical center's websites secretly transmitted sensitive personal and health information to Facebook.

See Also: Panel Discussion | Accelerate HITRUST certification for faster time-to-market and improved ROI

The claim is the latest in a string of legal actions against other healthcare centers that pasted Facebook Pixel and similar online behavior tracking code into their patient portals.

The complaint alleges that the Iowa medical center "purposely and intentionally" installed the pixel and conversions application programming interface tools to "surreptitiously share its potential and current users' private and protected communications with Facebook," including information protected by HIPAA.

UIHC in a statement to Information Security Media Group said the allegations are unfounded. "University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook."

Plaintiff attorney Brian Marty of Shindler, Anderson, Goplerud & Weese said, "The facts alleged in the complaint speak for themselves, as well as the dozens of other lawsuits filed across the country alleging the same or similar misconduct by healthcare providers."

Concerns over the use of web trackers by the healthcare industry exploded in the wake of last summer's Supreme Court decision that struck down a constitutional right to abortion embodied by the five-decade-old precedent of Roe v. Wade.

The Department of Health and Human Services has since warned that commercial web traffic trackers embedded into patient portals may violate privacy law. A growing number of healthcare companies are treating past use of trackers as a reportable data breach incident.

The department's top HIPAA enforcer said in early April that regulators will "hopefully soon" bring an enforcement action for tracking-tool related HIPAA violations (see: HHS OCR Leader: Agency Is Cracking Down on Website Trackers).

The lawsuit against the Iowa medical center seeks damages, including punitive damages, as well as injunctive relief ordering it to not engage "in the wrongful conduct alleged in the complaint pertaining to the misuse and/or disclosure of the private information.

Facebook faces a consolidated putative class action lawsuit in the U.S. District Court for the Northern District of California alleging the social media giant violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.

A judge in December denied the plaintiff's bid to enjoin Facebook collecting patient information from healthcare entities. The social media's use of systems created to block the receipt of sensitive information combined with "factual uncertainties" means "it is too early to find that the public interest supports a mandatory injunction," wrote U.S. District Judge William Orrick.


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.eu, you agree to our use of cookies.