Meta Platforms sued for alleged unlawful collection of patient data
At least 664 hospital systems or medical providers have been identified where Facebook has received patient data, lawsuit says.
Photo: Gado/Getty Images
Meta Platforms is facing a potential class-action lawsuit for allegedly using its Pixel tracking tool to get patient information from hospital portals for target marketing purposes.
The plaintiff, under the name of John Doe, a patient of the Medstar Health System in Baltimore, Maryland, filed the case June 17 in the U.S. District Court for the Northern District of California. He requests class-action status and a jury trial.
The action has been assigned to Judge Nathanael M. Cousins and to the Alternative Dispute Resolution Multi-Option Program. The initial case management conference is set for September 21 in San Jose, California.
The Pixel tracking tool is being improperly used on hospital patient portals, resulting in a "wrongful redirection" to Facebook of patient communications to register, sign-in or out, request or set appointments, or call the provider via their computer devices, the lawsuit said.
"This unlawful collection of data is done without the knowledge or authorization of the patient, like plaintiffs, in violation of federal and state laws as well as Facebook's own contract with its users," the court document said. "When a patient communicates with a healthcare provider's website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient's communication with their healthcare provider to be redirected to Facebook in a fashion that identifies them as a patient."
Patient data is protected by HIPAA and requires valid HIPAA-compliant authorization before it is collected by Facebook, the court document said. It also violates Facebook's privacy promises to users, Doe said.
"Facebook knowingly receives patient data – including patient portal usage information – from hundreds of medical providers in the United States that have deployed the Facebook Pixel on their web properties," the lawsuit said.
Facebook allegedly monetizes the information by using it to generate profitable targeted advertising on and off Facebook and to target patients based on their actions on the providers' websites.
"For example, Facebook could target ads to a patient who had used the patient portal and viewed a page about a specific condition, such as cancer," the lawsuit said. "Facebook also offers medical providers the ability to engage in remarketing based on negative targeting – that is, ensuring that ads are not shown to users who have taken specific action. This could mean that Facebook would exclude existing patients from a medical provider's advertising campaign in order to establish new patients."
Facebook employs thousands of account managers or representatives to help partners, including medical providers, use the Facebook Pixel and other tools, court documents said.
WHY THIS MATTERS
At least 664 hospital systems or medical providers have been identified where Facebook has received patient data via the Facebook Pixel, according to the lawsuit.
No known complaint has been filed against the providers.
"Facebook does not 'require' medical providers to have lawful rights to share patient data associated with their respective patient portals and appointment software before sending it to Facebook," the lawsuit said. "Instead, Facebook merely includes a provision in its form contract which creates an unenforced 'honor system' for publishers, stating that, by using the Facebook Business Tools, the publisher 'represent[s] and warrant[s] that [it has] provided robust and sufficient prominent notice to users regarding the Business Tool Data collection, sharing, and usage.'"
John Marzano, a former hospital marketer and principle of JAM3 Strategic Marketing and PR, does not have personal experience with Facebook Pixel but said that the digital age has changed how marketing is done.
His advice for hospital marketers is to work closely with the IT department to make sure patient information remains within the firewall and that security is being upheld.
"IT always had a concern about social media because it's always so open," he said. "It's still a little like the Wild West."
He and other marketers would pull a list of numbers - not names - from their organization's customer relationship management (CRM) system and use that to target those with a particular condition, such as cardio-vascular disease, to send out emails. Patients first had to give their consent when they signed up for their personal medical records, he said.
The process was digitally set up and integrated with the CRM and EHR.
"That was something we worked through with our IT teams," Marzano said. "We might get a list of 500 people who had a medical history or were treated; lifestyle attributes identified potential future screenings."
It's great to utilize the right tools to target people who need care, Marzano said, but it's a marketer's responsibility to understand and respect patient privacy within the channels being used.
"Marketing and IT must be joined at the hip to know what the other is doing to protect against leaks in personal health information," Marzano said.
THE LARGER TREND
In September 2020, a federal judge dismissed a lawsuit against the University of Chicago Medical Center and Google over data sharing.
In 2017, The University of Chicago, the University of Chicago Medical Center and Google began a research partnership in which they used machine-learning techniques to create predictive health models aimed at reducing hospital readmissions.
As part of the research, the University de-identified electronic medical records of adult patients, the court document said.
The judge said the plaintiff received a disclaimer by The University of Chicago Medical Center on sharing information for research purposes. The court dismissed the plaintiff's claim of breach of contract and request for monetary damages.
Twitter: @SusanJMorse
Email the writer: SMorse@himss.org
