Meta has been sued for collecting data from US hospitals without users’ knowledge, two new lawsuits allege.
The lawsuits center on the Meta Pixel, which sends data to Facebook every time a button is clicked.
A recent report by The Markup found that the pixel was used in 33 of the top 100 hospitals in the United States. The data that is sent to Facebook includes an IP address, which means that the user or the user’s household could be identified.
At seven of these 33 hospitals, the pixel was installed on password-protected patient portals, which shared information such as the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor appointments. Some hospitals removed the pixels after The Markup report.
One of the plaintiffs alleges that medical information was sent to Facebook through the pixel from the University of California, San Francisco and Dignity Health patient portals, causing her to see ads about her heart and knee conditions. Some of those ads didn’t even have scientific backing.
US medical privacy law states that health care organizations need patient consent to share identifiable information with outside groups, and the lawsuits allege that Meta is not knowingly enforcing these policies.
Meta did not respond to The Independent’s request for comment as of press time and did not respond to questions The Markup sent to it.
Instead, a spokesperson paraphrased the company’s sensitive health data policy: “If Meta signal filtering systems detect that a business is sending potentially sensitive health data from its app or website through its use of of Meta Business Tools, which in some cases may occur by mistake, such potentially sensitive data will be removed before it can be stored in our ad systems.”
“I am deeply concerned about what [hospitals] are doing with their data capture and data sharing,” David Holtzman, a health privacy consultant who was previously a senior privacy advisor at the Office, told The Markup. of Civil Rights of the US Department of Health and Human Services, which enforces HIPAA.
“I can’t say that [sharing this data] is for sure a HIPAA violation. It is most likely a HIPAA violation.”
The lawsuits have not yet been certified as class actions, which a judge will need to do before they can proceed, but if they do, they could bring damages on behalf of all users whose medical providers have used the pixel.