Meta Sued for Unlawful Collection of Patient Data

A recent class action lawsuit alleges Meta (the parent company of Facebook) used an illegal tracking tool to retrieve patient information from over 664 hospitals for marketing purposes. Meta and a handful of US-based hospitals have violated privacy laws such as HIPAA that control the means and methods for lawfully handling covered medical information. John Doe filed the case on June 17, 2022, in the U.S. District Court for the Northern District of California, seeking class action certification for a jury trial to recover compensatory damages and attorney’s fees.

What actually occurred?

Facebook’s Pixel, a tracking tool intended to provide users with targeted audience data to optimize ads and remarket, is wrongfully redirecting patient and healthcare communication to Facebook for advertisement purposes. This unlawful collection of data was done without the knowledge of patients. When a patient communicates to the healthcare provider, Pixel source codes causes that data to be directed to Facebook in a way that identifies users as a patient with specific health needs.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) protects patient data. By using Facebook Pixel, the information a patient communicated to the healthcare provider gets transmitted to Facebook. This not only directly violates HIPAA, but also goes against Facebook’s promise of privacy to its users. Hundreds of medical providers have incorporated Facebook Pixel into their web servers, opening those medical providers up to liability under HIPAA or the illegal transfer of patient data. By retrieving patient information, Facebook benefits monetarily by targeting the needs of the patients.

Why does this matter?

As the healthcare industry starts to merge with large business and tech industries, it is crucial for hospitals to utilize their IT department to ensure a protected firewall will uphold the confidentiality of patient information. Companies like Oracle are acquiring Cerner, therefore it’s not surprising with the emerging digital age, Facebook will start taking a more active role in the healthcare industry. It is inevitable that marketing and IT will merge but it is the role of marketing to understand and respect the privacy of patients.

Facebook’s market dominance enables it to engage in anticompetitive behavior, such as providing unfair terms to users on a “take it or leave it” bases. Facebook places unfair conditions and terms on users by collecting data through Facebook Pixel. While the target of the suit is Pixel, it is not the first time that Facebook has been accused of mining the healthcare data of patients. In 2016, a very similar incident occurred where Facebook collected patients’ healthcare data for target advertisement purposes.

The judge, in this case, ruled in Facebook’s favor because the plaintiffs failed to please facts showing they suffered harm as a result of the data collection. Big Tech companies have dominance and reach into a space that many believe is protected. Even though Meta is not a covered entity under HIPAA, Meta would need to be in compliance with a HIPAA business associate agreement (BAA) in order to handle protected health information. Facebook has been acting without HIPAA authorization directly violating the trust of providers and patients. As bigger companies start to merge with the healthcare industry, patient data becomes less protected, and it is important that these companies be held accountable for their breaches of patient privacy.