Judge advances lawsuit claiming Meta pixel tracking on hospital websites violated HIPAA
| Judge advances lawsuit claiming Meta pixel tracking on hospital websites violated HIPAA | |
|---|---|
| Short Title | Meta Faces HIPAA Lawsuit Over Tracking Pixel |
| Location | California |
| Date | September 7, 2023 |
| Solove Harm | Surveillance, Secondary Use, Breach of Confidentiality |
| Information | Medical and Health |
| Threat Actors | Meta Platforms Inc., California Hospital Websites |
| Individuals | |
| Affected | Users of hospital websites |
| High Risk Groups | Individuals with sensitive medical conditions |
| Tangible Harms | Loss of Trust, Change of Behavior |
A San Francisco District Judge advanced a lawsuit alleging Meta surveilled users on the Carolina hospital websites and obtained sensitive information which they used for targeted advertising.
Description
On September 7, 2023 San Francisco District Judge William Orrick allowed a lawsuit against Meta to proceed, which alleges that the company knowingly used the Meta Pixel, their proprietary online tracking code, to gather sensitive medical information on hospital websites. If true, this would constitute a violation of HIPAA, since HIPAA only allows health providers to transmit medical information to business associates, and with valid HIPAA authorization, neither of which is true of these disclosures. The lawsuit also alleges that the use of Meta's Pixel to transmit this information violates the Electronic Communications Privacy Act and California Invasion of Privacy Act (CIPA), since the company had not taken sufficient precautions to prevent the transmission of sensitive medical information. Meta contends that they should not face liability and that it is the responsibility of websites to ensure they have appropriate permissions before choosing to include their Tracking Pixel. Meta's alleged conduct would constitute not only Surveillance, but also Secondary Use, since hospital website users did not provide their personal information for the purpose of Meta's targeted advertising. Finally, it could be argued that the hospitals who included Meta's Pixel on their websites are responsible for a Breach of Confidentiality since its use resulted in the disclosure of medical information that should have been confidential under HIPAA.
Laws and Regulations
HIPAA
Electronic Communications Privacy Act
§637.5. Invasion of Privacy.
Sources
[https://www.hipaajournal.com/federal-judge-tentatively-advances-meta-pixel-medical-privacy-class-action/%0Ahttps://www.reuters.com/legal/meta-platforms-must-face-medical-privacy-class-action-2023-09-08/ https://www.hipaajournal.com/federal-judge-tentatively-advances-meta-pixel-medical-privacy-class-action/ https://www.reuters.com/legal/meta-platforms-must-face-medical-privacy-class-action-2023-09-08/]