Facebook Sued for Collecting Patient Medical Data Without Consent

On June 17, 2022, a class action lawsuit was filed against Meta Platforms, Inc., (“Meta”), formerly known as Facebook, Inc. (“Facebook” or the “Company”), alleging that Facebook has been collecting sensitive medical information from hospital websites without obtaining patients’ consent. The complaint was filed the day after a technology watchdog organization, The Markup, posted an article outlining how Facebook had been unlawfully collecting patient information. Neither Facebook nor any of the hospital systems or medical provider websites had obtained patient authorizations required under the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).

The lawsuit claims that Facebook’s marketing tool, Facebook Pixel, has been collecting personal data from medical providers’ web properties to generate targeted advertising on and off Facebook. The patient status and health information collected comes from the webpages of at least 664 hospital systems or medical providers and includes communications relating to provider-patient portals, appointments, and phone calls.

Facebook’s actions are alleged to violate the California state constitutional right to seclusion, the criminal California Invasion of Privacy Act, the California Unfair Competition Law, and federal and state electronic communications privacy and wiretap laws. The lawsuit also asserts claims for breach of contract, breach of the duty of good faith and fair dealing, and negligent misrepresentation.

Facebook does require businesses using Pixel to have lawful rights to collect, use and share data, but the Company does not ask medical providers to acquire the patient consent required under HIPAA’s patient privacy rules. This is problematic because, as the lawsuit explains, “[w]hen a patient communicates with a health care provider’s website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient’s communication with their health care provider to be redirected to Facebook in a fashion that identifies them as a patient.”

In response to the lawsuit, Meta spokesperson Dale Hogan stated that potentially sensitive health data is filtered and removed before it can be stored in the advertisement systems. However, Facebook did not launch this filtering system until July 2020, five years after the introduction of Facebook Pixel.

Updates will be posted to this blog as the matter progresses. A class has not yet been certified in this action. The case caption for the lawsuit is Doe v. Meta Platforms, Inc., case number 5:22-cv-03580-NC, filed in United States District Court for the Northern District of California.

The legal team at Miller Shah LLP has extensive experience in complex class action litigation. If you have any questions regarding this subject, please contact Stephen Rutkowski (strutkowski@millershah.com) or Casey Yamasaki (ctyamasaki@millershah.com). The firm can also be reached toll-free at (866) 540-5505.