John Doe, a Facebook user and a Medstar Health System patient from Maryland, has sued Meta (the parent company of Facebook) for scraping protected health information. The social media giant allegedly collects highly sensitive data of patients who use the Meta Pixel tool on their websites. It has violated the HIPAA privacy rule and concerned millions of people.
What is the Point of Meta Sued?
A class-action lawsuit against the Meta company was filed in the U.S. Northern District of California. John Doe, a plaintiff, accuses Facebook of collecting hospital website data that is not allowed under the HIPAA privacy rules. Cybersecurity experts found that the Meta Pixel tool is used by one-third of the 100 top hospitals in the United States. It is a snippet of JavaScript code for tracking visitor actions on websites. For example, Meta Pixel collects information about a form that a user clicks and options that he selects from the dropdown menu, and anything else present in HTTP headers. If healthcare providers’ website includes this tool, it is likely to transmit protected health information (PHI) to Meta/Facebook. This data may cover IP address, date of a scheduled appointment medical condition, and other information selected from menus.
“It works by loading a small library of functions which you can use whenever a site visitor takes an action that you want to track. Tracked conversions appear in the Ads Manager where they can be used to measure the effectiveness of your ads, to define custom audiences for ad targeting, for dynamic ads campaigns, and to analyze the effectiveness of your website’s conversion funnels.”
Meta explains its policy.
Despite the fact that Meta is not a HIPAA-covered entity, it would need to have a HIPAA business associate agreement (BAA) in place in order to handle PHI in compliance with HIPAA. Meta warns on its website that “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” Facebook is accused of a lack of PHI protection and actions to enforce or validate its requirement. HIPAA rules prohibit using of the tool on hospital websites without obtaining consent. So, the social media platform is not bound to HIPAA compliance, but the hospitals that use the Meta Pixel tool on their websites may commit HIPAA violations because of transferring the sensible information without consent.
Legal Requirements Of Meta Lawsuit
The main point of the HIPAA breach committed by Meta is scrapping the protected health information of millions of patients. It violates the contract and duty of good faith and fair dealing as well as federal and state laws, including the federal Electronic Communications Privacy Act and California’s Invasion of Privacy Act, and Unfair Competition Law. The lawsuit seeks class-action status, compensatory and punitive damages, and attorneys’ fees.
This is not the first time when Facebook has been accused of such violations. Similar lawsuits were informed in 2016, 2018, and 2019. The Federal Trade Commission (FTC) led the Meta company to file a Department of Justice complaint with similar allegations: “Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.”
Therefore, you need to be sure that you follow all requirements of HIPAA compliance in order to avoid large fines or HIPAA corrective action plan. Subscribe to our blog and be on top of HIPAA compliance.
