Two new lawsuits allege that Meta, Facebook’s parent company, and a number of US hospitals violated medical privacy law HIPAA, according to The Verge. These lawsuits follow a report from The Markup published this June documenting how the Meta Pixel, an ad analytics tracking tool installed on many websites, potentially shared identifying patient data in a way that violated HIPAA. Both lawsuits were filed in the Northern District of California and argued that the use of the Meta Pixel on hospital websites allowed sensitive health information to be sent to Facebook. The lawyers for the plaintiffs are trying to get them classified as class action suits and demanding jury trials.
But let’s step back a bit and answer some key questions: What is the Meta Pixel, how does it work, and why are hospitals’ installing it on their websites? And since they are, is that likely to be a HIPAA violation?
The Meta Pixel is a free ad tracking tool from Facebook. According to research conducted by The Markup, approximately a third of the 80,000 most popular websites have the Meta Pixel installed. (Full disclosure: PopSci is one of them). This tool allows website owners to see analytics from Facebook and Instagram ads they run, and target Facebook and Instagram users who have visited their sites with ads.
The Meta Pixel is automatically triggered when someone visits a website with it installed. If they’re logged into Facebook (and not using a browser that protects against third-party tracking), it sends information about who they are and what they do on the site to Facebook. (Even if they’re not logged in, Facebook has other ways of attempting to glean information about visitors through the Meta Pixel). What information is sent to Facebook is controlled by the website operator, and this is where the HIPAA troubles start.
As part of The Markup’s Pixel Hunt investigation into Facebook ad tracking, it tested the websites of Newsweek’s top 100 US hospitals for 2022. It found the Meta Pixel installed on 33 of them, and all of them sent sensitive data to Facebook, including identifying information such as a visitor’s IP address, and when they attempted to schedule an appointment.
[Related: How data brokers threaten your privacy]
“On the website of University Hospitals Cleveland Medical Center, for example, clicking the ‘Schedule Online’ button on a doctor’s page prompted the Meta Pixel to send Facebook the text of the button, the doctor’s name, and the search term we used to find her: ‘pregnancy termination,’” The Markup reported.
For seven hospitals, the situation was even worse. The Meta Pixel wasn’t just installed on the public facing web pages, but also on the password-protected patient portals. For five of those websites, it documented real patient data—provided by volunteers who signed up to help the Pixel Hunt investigation using Mozilla’s ad-tracker tracking Rally plugin—being sent to Facebook. Some of that information included “the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.”
According to The Markup, “former regulators, health data security experts, and privacy advocates” all expressed concern that the hospitals using the Meta Pixel on their patient portals may have violated HIPAA regulations. David Holtzman, a health privacy consultant who has previously served as a senior privacy adviser for the US government agency that enforces HIPAA, told The Markup that while he couldn’t say for certain, “it is quite likely a HIPAA violation.”
It’s important to note that Facebook itself is not subject to HIPAA as it is not a healthcare provider. Still, there is cause for legitimate scrutiny of how Meta handles sensitive data. Following a report in The Wall Street Journal and a New York Department of Financial Services investigation in 2019, Meta said it was introducing a tool to automatically filter out sensitive medical data sent by websites through the Meta Pixel. However, according to previous reporting by The Markup and leaked Facebook internal documents, it is unlikely that the tool is 100 percent effective at filtering out sensitive medical data.
Medical providers, on the other hand, are bound by HIPAA. They are not supposed to share data with third-parties without express consent from the patient in question. From The Markup’s reporting, it seems unlikely that any of the hospitals obtained that.
While the majority of hospitals documented by The Markup’s investigation removed the Meta Pixel from their patient portals after they were contacted (and some also removed it from their public websites), their past actions set the stage for these two lawsuits.
As well as Meta, one of the lawsuits names University of California San Francisco and Dignity Health patient portals as defendants. Apparently, a patient claims her medical information was sent to Facebook where she was then served targeted ads relating to her heart and knee conditions. The other suit doesn’t name any other defendants, but claims at least 664 healthcare providers have sent medical data to Meta.
We won’t know whether either case will become a class action or even proceed for a while yet, but it’s another bad story for Meta—which really can’t seem to catch a break.