Skip to main content

Meta sued for violating patient privacy with data tracking tool

Meta sued for violating patient privacy with data tracking tool

/

Lawsuits allege Meta and US hospitals violated HIPAA

Share this story

Illustration by Alex Castro / The Verge

Facebook’s parent company Meta and major US hospitals violated medical privacy laws with a tracking tool that sends health information to Facebook, two proposed class-action lawsuits allege.

The lawsuits, filed in the Northern District of California in June and July, focus on the Meta Pixel tracking tool. The tool can be installed on websites to provide analytics on Facebook and Instagram ads. It also collects information about how people click around and input information into those websites.

An investigation by The Markup in early June found that 33 of the top 100 hospitals in the United States use the Meta Pixel on their websites. At seven hospitals, it was installed on password-protected patient portals. The investigation found that the tool was sending information about patient health conditions, doctor appointments, and medication allergies to Facebook.

In one of the lawsuits, a patient says that her medical information was sent to Facebook by the Meta Pixel tool on the University of California San Francisco and Dignity Health patient portals (those hospitals are also defendants in the suit). The patient then was served advertisements targeted to her heart and knee conditions, the lawsuit says.

The other lawsuit, from a patient at the MedStar Health System in Baltimore, Maryland, alleges that at least 664 healthcare providers have sent medical data to Facebook through the Meta Pixel.

Under the medical privacy law HIPAA, healthcare organizations need patient consent to share personally identifiable health information with outside groups. Meta says that it requires groups using the Meta Pixel to have the right to share data before sending that data to Facebook and that it filters out sensitive health data. The lawsuits allege that Meta is knowingly not enforcing those policies and that it put the Pixel on healthcare organizations’ websites despite knowing it would collect personal health information.

The lawsuits will have to be certified as class actions by a judge before they can move forward. If either is successful, they could bring damages on behalf of all Facebook users whose medical providers employed the Meta Pixel.

You can read the full complaints below.