Meta, specifically Facebook, is in hot water again, and this time the company faces a class-action suit. The media giant stands accused of violating federal and state laws by secretly collecting private medical data through its Pixel tracking tool. Hundreds of healthcare providers used “Pixel” to schedule appointments, and some of that personal information was on Facebook as soon as patients clicked a button to set a date and time.
Repeat Offender
This isn’t Facebook’s first time at the data privacy rodeo. Over the last decade, Mark Zuckerberg’s creation has been sued, investigated, and torn to shreds by the media and general public. Specifically, concerns focused on the company illegally gathering information on its users, which was then manipulated for targeted advertising.
The worst stain on Facebook’s reputation was the Cambridge Analytica scandal. The political consulting firm and other companies were allowed access to the personal, identifiable data of about 85 million people. After being exposed, Facebook was forced to apologize.
Medical Info
However, this go-around, things are slightly different. This case alleges Facebook took confidential information while acting as a service provider for multiple healthcare website portals. The un-identified plaintiff says he used a Baltimore health system portal to communicate with his medical providers, review his test results, and make appointments. He is seeking punitive and compensatory damages for himself and others due to a breach of contract, violation of the federal Electronic Communications Privacy Act, and invasion of privacy.
According to a report by The Markup, millions of Americans possibly had their rights violated as 33 of Newsweek’s top 100 hospitals use Pixel. The lawsuit, however, did not just focus on the top hospitals. It cites 664 healthcare providers or systems that used the service to receive sensitive info such as medical conditions, prescriptions, and appointments, which was then shared with Facebook.
Pixel is a chunk of code embedded in a website that monitors a user’s movements. It notes the buttons clicked, logs information entered on forms, and identifies pages visited. Shockingly, 30% of the most visited websites use Pixel. But why would any web owner want to use it?
For installing this tool, Meta provides the website operator analytics on their ads on Meta’s social media platforms, Instagram and Facebook. The company also offers tools to target users. The data sent to Facebook via Pixel is identifiable because it is linked to an IP address, which can be easily used to identify a physical address or person.
So What?
Essentially, private medical data ended up in the hands of Facebook. But what happened to it next? Was Facebook even aware it had access to this potentially illegally obtained private data? Has HIPAA been violated?
Health data security experts, former regulators, and advocates say yes, the hospitals may have violated the federal Health Insurance Portability and Accountability Act (HIPAA). This law forbids medical providers from sharing personally identifiable health information with third-party vendors unless the patient has given consent. According to The Markup’s report, there was no proof of consent with the hospitals and patients for said information to be shared with the third party, Facebook.
The HIPAA violations almost certainly won’t fall on Meta, but the healthcare providers could be in serious trouble. The biggest concern for Meta’s involvement is what it has done with all that data.