Privacy, Application security

Another lawsuit claims Facebook scraping data from hospital sites

A class-action lawsuit was filed accusing Meta, parent company of Facebook, of scraping healthcare data from hospital websites. (Photo by Leon Neal/Getty Images)

A lawsuit filed in the U.S. District Court of Northern California last week accuses Meta, the University of California San Francisco Medical Center, and Dignity Health Medical Foundation, of allowing Facebook to scrape healthcare data from hospital websites with Meta’s Pixel tool without user consent.

It’s the second proposed class-action against Meta alleging the social media giant is engaging in less-than-upstanding data privacy practices. Both follow a STAT News report detailing the alleged improper use of Meta’s Pixel tool on hospital websites.

When Meta’s Pixel tool is embedded onto third-party websites, it tracks user activities, navigation patterns, and the specific information entered into the webpage. According to the lawsuit, Pixel harvests the data and sends it to Meta, which stores it on its servers.

The benefits of this tactic to Meta are “far more sinister.” Particularly when the tool is incorporated onto a website without users’ consent, “Meta gains the ability to surreptitiously gather every user interaction with the website ranging from what a user clicks on to the personal information entered on a website,” according to the suit.

“Meta aggregates this data against all websites,” the lawsuit explains. When incorporated onto medical websites and a user enters their health information into the hospital websites and patient portals, Pixel gathers appointments, treatments, medical conditions, diagnoses, procedures, test results, and provider information, among other healthcare data.

The data is used by Meta, “as well as other parties, in connection with targeted advertising,” according to the suit. Pixel is embedded on 33 of the top 100 U.S. hospitals and on the patient portals of seven health systems, including UCSF Medical Center and Dignity Health Medical Foundation.

The patient behind the suit claims her personal data and medical information that she entered into the Dignity Health and UCSF patient portals were harvested by the Pixel tool.

The scraped data was used by Meta as part of the company’s advertising  business, for which the company profits from providing third parties with access to users most likely to be interested in their products or services. The patient alleges the company allowed pharmaceutical and other companies to target her with advertising tied to her medical conditions. 

Further, the patient claims she received advertisements specifically tailored to her personal and health data which she entered into her patient portals. The ads were sent to her email and in text messages and appeared on her Facebook page.

The lawsuit alleges that Meta is aware the user data collected by Pixel from Dignity Health and UCSF websites includes highly sensitive medical information, but continues to collect, use, and profit from the information “in reckless disregard for patient privacy.”

Dignity Health and UCSF “knew by embedding Meta Pixel — a Meta advertising tool — they were sharing and permitting Meta to collect and use [patients’] data, including sensitive medical information,” according to the suit. As a result, their actions “constitute an extreme invasion of [patients’] right to privacy” and in violation of federal and state statutory and common law. 

The lawsuit cites the Markup report detailing Pixel’s data scraping and its dubious use in targeted advertising against users, as well as views from industry stakeholders who call the practice “problematic” and a “likely Health Insurance Portability and Accountability Act violation by the hospitals.”

The lawsuit joins a growing number of Congressional inquiries examining the health data practices of Meta, health apps, and other platforms, as reports show patients increasingly want more control over their health data, especially after the upheaval of Roe. v. Wade.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.