Application security, Privacy, Data Security

Lawsuit accuses Facebook of scraping health data from hospital websites

A class-action lawsuit was filed against social media giant Facebook and Meta, its parent company, for allegedly scraping data of millions of patients from hospital websites. Pictured: A sign is posted in front of Meta headquarters on April 28, 2022, in Menlo Park, Calif. (Photo by Justin Sullivan/Getty Images)

A class-action lawsuit filed in U.S. Northern District of California claims Facebook’s Pixel tracking tool scraped hospital website data and violated the medical privacy of “millions of patients.” The suit follows a STAT report detailing the alleged improper use of Pixel on hospital websites.

The social media giant “knowingly receives patient data — including patient portal usage information — from hundreds of medical providers in the U.S. that have deployed the Facebook Pixel on their web properties,” according to the lawsuit.

The information scraped by Pixel is monetized “by using it to generate highly-profitable targeted advertising on- and off-Facebook.” So far, the legal team has identified at least 664 hospital system or medical provider websites where Pixel has allegedly obtained health data for Facebook.

Lawsuit says Facebook Pixel violated HIPAA rules

According to the filing, Pixel redirects patient data from “supposedly ‘secure’ patient portals,” resulting in the “wrongful, contemporaneous, redirection to Facebook of patient communications.”

"When a patient communicates with a healthcare provider’s website where the Facebook Pixel is present on the patient portal login page… [the tracking tool] source code causes the exact content of the patient’s communication with their healthcare provider to be redirected to Facebook in a fashion that identifies them as a patient,” according to the lawsuit.

The lawsuit claims the data collection is done without the consent or knowledge of patients, in direct violation of federal and state laws, as well as Facebook’s contract with its users. And Facebook is alledgely well-aware of Pixel's “unlawful collection of data.”

The plaintiff, known only as John Doe, detailed his own experience with the alleged data scraping, as a patient of the MedStar Health System in Baltimore. Doe claims he used the health system’s patient portal to review lab results, schedule appointments, and provider communications.

But when he signed into the patient portal “Pixel, secretly deployed on the webpage, sent the fact that he clicked to sign-in to the patient portal to Facebook,” Doe alleged. The data allegedly redirected by Pixel from the patient’s device to Facebook included notifying the tool the patient was communicating with MedStar via the health system website, as well as clicking to subscribe and login to the patient portal.

The tool also allegedly informed Facebook that the patient previously reviewed breast health information on the MedStar website, along with the patient’s IP address, identified Facebook uses to identify patients and their devices, and “browser attribute information sufficient to fingerprint the patient’s device.”

The lawsuit argues that the tracking and data scraping is in direct violation of the Health Insurance Portability and Accountability Act, as it would require Facebook to obtain “valid HIPAA-compliant authorization” before the collection of any data.

In addition, Doe claims neither Facebook nor any of the hospitals using Pixel on their websites procured HIPAA authorizations prior to deploying the tool, particularly for the disclosure of patient status and health information to the social media giant.

“Facebook’s collection of patient status and the content of patient communications with their medical providers, including when they register, log-in and logout of patient portals and to set up appointments, in the absence of a HIPAA authorization violates Facebook’s privacy promises to users,” according to the suit.

The lawsuit further claims that despite knowingly receiving this health data from providers, Facebook hasn’t taken action or validated the requirement for providers to obtain adequate consent before providing the data to Facebook.

What’s more, the data is used by Facebook to sell targeted advertising “to target patients based on specific actions a patient has taken on the medical providers’ websites,” as well as engagements “in remarketing based on positive targeting,” or specific ad campaigns targeting patients based on their actions on healthcare websites.

“For example, Facebook could target ads to a patient who had used the patient portal and viewed a page about a specific condition, such as cancer,” according to the lawsuit.

In short, the social media giant and its parent company, Meta, is accused of breach of contract and duty of good faith and fair dealing, along with intrusion upon seclusion/violation, violation of the California Constitution, federal and state electronic communications privacy and wiretap claims, negligent misrepresentation and the California Invasion of Privacy Act.

Past allegations of Facebook collecting health data

The trouble is: this is certainly not the first time Facebook has been accused of scraping or dubiously collecting health data from its platform.

In fact, a 2016 lawsuit claimed Facebook compromises patient privacy, while a 2018 FTC complaint accused Facebook of misleading users about the privacy practices of “closed health groups” and argued the platform “deceptively solicited” patients to use Facebook’s “Groups” function to share their personal health information.

However, Facebook allegedly failed to protect the data uploaded into these groups, which possibly exposed the data to the public.

Meanwhile, a 2019 settlement with the Federal Trade Commission resolved charges that Facebook deceived users about their ability to control their data privacy and closed a massive FTC investigation into how the platform mishandled user communications and a massive loss of patient data.

The settlement required specific controls and notices for users about its data use, and later led the FTC to file a Department of Justice complaint with similar allegations: “Facebook repeatedly used deceptive disclosures and settings to undermine users’ privacy preferences in violation of its 2012 FTC order.”

The complaint further claimed Facebook’s tactics enabled them to share the personal information of users with third-party apps downloaded by users’ Facebook “friends.” The state of New York launched its own investigation after these complaints came to light.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.