Patient Data Sent to Meta Without Consent by Hospitals via Meta Pixel Tool on Websites

An investigation into the use of the Meta Pixel tool on hospital websites has revealed one-third of the top 100 hospitals are using the tool on their websites and are sending sensitive patient data to Meta/Facebook without content. Further, 7 hospital systems were identified that had the tool added on web pages within their password-protected patient portals.

The Meta Pixel tool is a snippet of JavaScript code that website administrators can add to track the movement of users across their website and record the actions they take. The tool records information related to the user, such as their IP address, and the actions they have taken. On a hospital website, the information recorded includes the page they visit, such as the page for making an appointment, and any information selected from drop-down menus. For instance, the reason for the appointment, which could include their medical condition. That information is then sent to Meta/Facebook, is stored, and is potentially used to serve targeted adverts.

Under the HIPAA Rules, any such data transfer would require consent from patients, and any company collecting that data – if it allows users to be identified – would be classed as a business associate and would have to enter into a business associate agreement. The study, conducted by The Markup/STAT, found no evidence that consent had been obtained from patients authorizing the collection and transfer of their data, and there appeared to be no business associate agreement with Meta/Facebook, which is a potential violation of HIPAA. Not by Meta/Facebook, which is not covered by HIPAA, but by the hospitals and health systems that use Meta Pixel on their websites. The study was limited to Newsweek’s top 100 hospitals, but many more could be using Meta Pixel and sending data to Meta/Facebook without consent.

The terms and conditions of Meta state that if sensitive data is found to be transferred using Meta tools, Meta will prevent that data from being ingested into its ads ranking and optimization systems, but the study was unable to determine whether that was the case and if the data had been used to serve targeted ads.

Class Action Lawsuit Filed Over Alleged Privacy Violation

A lawsuit has now been filed in the U.S. Northern District of California against Meta alleging Meta was knowingly collecting patient data from hospital websites through the Meta Pixel tool and was using that information to serve targeted adverts, and in doing so, has violated the privacy of millions of patients. The attorneys for the unnamed plaintiff say they have so far identified 664 hospitals in the United States that are using Meta Pixel and are sending patient data to Meta, and that this is in violation of HIPAA.

The lawsuit states that “Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook.” There is no private cause of action in HIPAA, and Meta is not a business associate, so action is not being taken over any alleged HIPAA violations. The lawsuit alleges Meta has violated California’s Unfair Competition Law and the Invasion of Privacy Act, a violation of the federal Electronic Communications Act,  breach of contract, good faith and fair dealing, intrusion upon seclusion/constitutional invasion of privacy, and negligent misrepresentation. The lawsuit seeks class action status, a jury trial, compensatory and punitive damages, and attorneys’ fees.