Facebook parent company Meta is facing yet another class action lawsuit tied to the data scraping power of its Pixel tool in hospital and patient-facing websites. Advocate Aurora Health and WakeMed Health and Hospitals are both facing patient-led suits filed following two separate breach notices involving the technology.
Advocate Aurora informed 3 million patients in October that their sensitive health data may have been compromised and shared with Google, Facebook and the tech giants’ abundance of third-party vendors.
The complaint against Meta and Advocate Aurora was filed Oct. 28 in U.S. District Court in Chicago and accuses the defendants of violating the Electronic Communications Privacy Act, the Stored Communications Act and the Health Insurance Portability and Accountability Act by “knowingly and repeatedly intercepting, accessing and disclosing” personal and sensitive health information.
The 27-hospital system has not clarified when the technology was used on its websites. The complaint alleges that Advocate Aurora encouraged patients to use its patient portal “LiveWell” leading to the exposure of protected health information (PHI) and subsequent “serious mental injury, shame or humiliation to people of ordinary sensibilities.”
Alistair Stewart, an Advocate Aurora patient, filed the suit “individually, and on behalf of all others similarly situated.” The suit states that Facebook’s data policy applies an “honor system” where it asks that businesses using its technology “provide robust and sufficient prominent notice to users regarding the Business Tool Data collection, sharing and usage.” Furthermore, it asserts that “Facebook’s Meta Pixel contracts with healthcare providers such as Advocate fail to mention or comply with HIPAA.”
Google was not listed as a defendant despite Advocate Aurora informing patients that the company may have also accessed patient data.
WakeMed notified 495,000 patients of the same technology on their websites and that “the pixel’s software code may have also transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to Facebook.” In the late October announcement, WakeMed noted that the technology was in use on its website from March 2018 to May 2022.
The suit filed on Oct. 31 in North Carolina's Wake Country courts against WakeMed includes neither Meta nor Google as a defendant but does accuse WakeMed of violating “its duty of confidentiality to its patients” through the use of Pixel technology on its MyChart patient portal.
“Despite knowing the risk that it was unlawfully transmitting patients’ PHI, WakeMed chose to implement the Meta Pixel on its website and patient portal because it financially benefits WakeMed,” the lawsuit reads. “Specifically, WakeMed benefits from the ability to analyze its patients’ experience and activity on its website to assess the website’s functionality and traffic. WakeMed also gains information about its patients through the Meta Pixel that can be used to target them with advertisements as well as measure the results of advertisement efforts.”
Trace Widdle was listed as the primary plaintiff filing also on behalf of other affected patients. The suit states that WakeMed’s Notice of Privacy Practices outlining sharing PHI with HIPAA-compliant “business associates” does not include “business associates such as Facebook for the sole purpose of collecting consumer information for advertising and marketing purposes.”
The lawsuit also states that WakeMed enacted a “website privacy policy” two days after the health system sent a data breach notice to patients that informs users of Pixel-like technology being used on its site to collect information, although it does not mention the collection of PHI.
Both suits assert that the use of JavaScript code scraped sensitive information including IP addresses, emergency contact information and medical information including health history.
Updated Aug. 12, 10:30 a.m.
Northwestern Memorial Hospital has joined the list of hospitals and health systems facing legal complaints due to the alleged use of Facebook parent company Meta's data tracker on their patient portal.
Michael Krackenberger, a patient of the hospital, filed a complaint on behalf of himself and others in the U.S. District Court for the Eastern Division of the Northern District of Illinois.
As laid out in similar class action cases against hospitals and the tech company, Krackenberger said in the suit that he became aware of Meta's collection of his personal data via Northwestern Memorial's online website as a result of an investigation published in June (see below).
The plaintiff acknowledged in the complaint that Northwestern Memorial had previously released a statement saying that use of the data tracker was disclosed in its terms and conditions.
However, such waivers do not exempt the system from patient rights protections laid out in Illinois law, according to the complaint. The plaintiff also alleged that Meta's collection and use of private medical information for profit violated both state and federal information protection laws.
Krackenberger is seeking punitive damages of at least $5 million for himself and others harmed by the collection and use of their information.
Updated Aug. 2, 2:00 p.m.
A second class action lawsuit has been filed against Facebook parent company Meta related to allegations of hospital website data collection, this time also listing UCSF Medical Center and Dignity Health as co-defendants.
An anonymous resident of Sacramento County, California and a patient of the healthcare organizations filed the suit in the U.S. District Court for the Northern District of California in late July.
Similar to the prior class action and research investigation from June, the plaintiff outlined "illegal information gathering" via a tracker called the Facebook/Meta Pixel embedded on hospitals' websites.
The defendant said in the complaint that her sensitive medical information was harvested by Meta through UCSF Medical Center and Dignity Health's patient portals.
She then "continued to have her privacy violated when her user data was used for profit by Meta when it allowed pharmaceutical and other companies to send her targeted advertising related to her medical conditions," according to the complaint. These advertisements were delivered on the defendant's Facebook page, in her email and in text messages, according to the case.
UCSF Medical Center and Dignity Health are listed in the filing because the healthcare providers "knew by embedding Meta Pixel ... they were sharing and permitting Meta to collect and use plaintiff's and the class members' user data, including sensitive medical information," according to the complaint.
No comments:
Post a Comment
Note: Only a member of this blog may post a comment.