Meta, US Hospitals Sued Over Using Health Data to Target Ads – BleepingComputer

Meta, US Hospitals Sued Over Using Health Data to Target Ads – BleepingComputer

Meta, US hospitals sued for tracking patients on medical portals

A class-action lawsuit has been filed in the Northern District of California against Meta (Facebook), UCSF Medical Center and the Dignity Health Medical Foundation alleging that the organizations unlawfully collect sensitive health information about patients for targeted advertising.

This tracking and data collection supposedly takes place in medical portals beyond login walls, where patients enter highly sensitive information about themselves, their condition, doctors, prescribed medications, and more.

According to the lawsuit, neither the hospitals nor Meta inform patients about the data collection, no user consents are obtained and there is no visible indication of this process.

The plaintiffs realized the invasion of their privacy when Facebook, Meta’s social media platform, began targeting them with advertisements explicitly tailored to their health conditions.

metapixels

The meta pixel is a piece of code that can be injected into any website to aid in visitor profiling, data collection, and targeted advertising.

It takes up the space of a single pixel, hence its name and stealth, and helps collect data like button clicks, scrolling patterns, data entered into forms, IP addresses, and more.

This data collection takes place for all users, even if they do not have a Facebook account. However, for Facebook users, the collected data is linked to their account for deeper correlation.

As the Meta Pixel is installed on numerous websites, users are tracked and targeted with specific ads on multiple Internet locations.

A recent study by The Markup found meta pixels in 30% of the 80,000 most popular websites, including several anti-abortion clinics and other healthcare providers.

The lawsuit alleges that Meta’s tracking code is present on 33 websites of the top 100 hospitals in the United States, and in seven cases the code leaks through password-protected patient portals.

According to the complaint, the 33 hospitals where the meta pixel was detected have taken in a total of over 26 million patients and outpatient visits in 2020 alone.

data breach

In examples in court documents, patients received targeted ads on Facebook and also via email promoting diseases and medical services without scientific backing.

Email and Facebook ads included in complaintEmail and Facebook ads included in complaint

Most importantly, the plaintiffs felt hurt because they never consented to the collection of sensitive medical information, let alone its use for targeted advertising.

Meta even includes a provision in its privacy policy stating that its partners (hosts of the Meta pixel) must have lawful rights to collect, use, and share user data before disclosing it to the advertising giant.

However, as noted in the Complaint: “The Health Care Defendants do not have the legal right to use or disclose the data of the Plaintiffs and Group Members because that information is protected by the privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”) are , which protects all electronically proprietary health information that an affected entity such as Healthcare Defendants” creates[]receive[]care for[]or submit[]”in electronic form.”

Therefore, both Meta and the healthcare providers are accused of knowing their data collection operation was unlawful, but they continued to do so and hid them from those being pursued.

Meta’s efforts to filter out sensitive medical information from the collected data have proved ineffective, according to The Markup and the New York State Department of Financial Services, which looked into the matter back in February 2021.

Finally, plaintiffs are seeking remedies on behalf of individuals in a similar situation relating to invasion of privacy, breach of medical information confidentiality, unjust enrichment, breach of contract, Computer Data Access and Fraud Act (CDAFA) and also that Federal Wiretapping Act.