Please support Telehealth.org’s ability to deliver helpful news, opinions, and analyses by turning off your ad blocker.
Jane Doe, a patient at UCSF Medical Center and Dignity Health Medical Foundation, has filed a lawsuit against Facebook’s parent company in relation to its health data privacy practices. According to a report co-published by STAT and The Markup, the company used Meta Pixel, a tracking tool, to extract health data from hospital websites.
More About Facebook’s Meta Lawsuit & Data Privacy in Healthcare
Meta Pixel is a code developed to allow websites to track user activity, however, the report alleges that Facebook used the code on hospital websites to collect highly sensitive data. It is alleged that the tracker was used on password-protected patient portals to send data to Facebook whenever a user scheduled a doctor’s appointment online. This allegedly allowed Facebook to receive Protected Health Information (PHI) of patients, including doctors’ names and medical conditions. All of this information could be linked to the user’s unique IP address.
The plaintiff claims that the company harvested her health data when she fed her information into the hospitals’ patient portals. She alleges that Meta is using her data to make money by allowing “pharmaceutical and other companies to send her targeted advertising related to her medical conditions.”
“With the tracker present within password-protected patient portals, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address,” said the lawsuit.
“Meta knows that the User Data collected through its Pixel on Healthcare Defendants’ websites includes highly sensitive medical information but, in reckless disregard for patient privacy, continues to collect, use, and profit from this information,” it added.
Meta Pixel
The company is yet to comment on the lawsuit, however, according to the official website, the Meta Pixel is designed to collect different types of information, including data present in form field names, HTTP headers, and more. The Markup ran tests on the top 100 hospital websites in the country and found the tool on nearly 33 percent of them. Meta did not enter into HIPAA Business Associate Agreements (BAAs) with the organizations in question. According to the lawsuit, the company is deceiving the public by making people believe that their personal data is protected, whereas it is being used to help other companies.
The plaintiff called these violations “willful, deceptive, unfair, and unconscionable” and is seeking compensatory damages through this Meta lawsuit. This isn’t Facebook’s only legal battle, as the company recently reached a $650 million settlement to settle claims it violated privacy laws. The lawsuit alleged the company stored private data, including biometric information including facial scans, without seeking user consent.
Conclusions
Data privacy in healthcare is a major concern in today’s environment. This lawsuit concerns third-party vendor relationships and the importance of regulating how organizations collect, use, and manage patient data. Facebook’s use of Meta Pixel amid ever-increasing healthcare cybersecurity concerns raises many questions. As HIPAA-covered entities, healthcare professionals and their organizations then must be mindful of the systems they choose to use with patients.
HIPAA Compliant Cybersecurity for Professionals
Must-know information about how to protect your telehealth practice from a ransomware attack. Operate w/ EYES WIDE OPEN.
Disclaimer: Telehealth.org offers information as educational material designed to inform you of issues, products, or services potentially of interest. We cannot and do not accept liability for your decisions regarding any information offered. Please conduct your due diligence before taking action. Also, the views and opinions expressed are not intended to malign any organization, company, or individual. Product names, logos, brands, and other trademarks or images are the property of their respective trademark holders. There is no affiliation, sponsorship, or partnership suggested by using these brands unless contained in an ad. We do not and cannot offer legal, ethical, billing technical, medical, or therapeutic advice. Use of this site constitutes your agreement to Telehealth.org Privacy Policy and Terms and Conditions.
Hospital staff generally gets fired just for looking at patient data without approval. Let’s see some jail time for both FB employees who accessed this data and the government staff who received and reviewed the data.
Thank you for your comment, Ammie. I’m sure that others who follow these rules would agree with you.
This is a legitimate concern. We had our local hospital send us a letter. It stated our medical information has been breach! How did they let that happen?
Jacqueline, Not sure how this is happening, but Facebook is notorious for data breaches. In our training, we encourage clinicians to advise their clients and patients to ONLY complete forms and profiles with the required information and ignore all non-required fields.
Thank you!