Privacy, Breach, Data Security

Patients sue WakeMed, Aurora Advocate over data collection by Meta’s Pixel tool

Meta headquarters
Patients with WakeMed Health and Aurora Advocate Health filed lawsuits after they were notified of possible data scraping via Meta's Pixel tool. (Photo by Justin Sullivan/Getty Images)

WakeMed Health and Hospitals, and Aurora Advocate Health are both facing patient-led lawsuits after two separate breach notices tied to possible data scraping by the use of Pixel on its hospital and patient-facing websites. The two separate lawsuits were filed on Oct. 31.

As SC Media reported, WakeMed informed 495,000 patients and Advocate Aurora notified 3 million individuals that their data was inadvertently shared with Meta and other third-party vendors due to the use of Pixel on their respective websites. Novant ACE sent a similar notice to 1.3 million patients in June, following two reports alleging the Meta Pixel tool was scraping hospital data.

Meta is already facing similar lawsuits filed by patients in the wake of these reports. The company has denied it receives protected health information from its pixel tool.

The breach notices explained the tool was installed on these sites to understand how patients and others interact with the websites, for measuring and evaluating trends, as well as the preferences of patients using their sites. The data involved interactions with the websites, especially for users concurrently logged into Google or Facebook accounts.

Once WakeMed and Aurora Advocate learned of the purported data scraping, it launched investigations into the use of Pixels on their sites and found that the tracking tool disclosed certain protected health information “in particular circumstances to specific vendors.”

However, the lawsuit alleges that these providers were aware, or should have been aware, of the data sharing.

The WakeMed filing shows the health system installed the Pixel tool as far back as 2018 as part of a campaign to connect more patients to its patient portal, which “involved Facebook advertisements and a Meta… Pixel placed on the WakeMed Health website to help monitor how patients use its website and the effectiveness of its outreach programs.”

The lawsuit claims the Pixel was configured to “capture and allow private information to be transmitted to Meta from the WakeMed website and MyChart portal.” WakeMed disabled and removed the Pixel in June 2022, likely after the release of the two investigative reports on the Meta tool.

WakeMed confirmed the unauthorized disclosure after its own investigation, which confirmed the disclosure to Meta and Facebook. But the lawsuit argues that the disclosure was “intentional.”

The lawsuit also takes issue with the October disclosure, claiming that the notice should have come soon. Under the Health Insurance Portability and Accountability Act, breach notices are to be sent within 60 days. But it’s unclear when Aurora Advocate and WakeMed’s forensics reviews first discovered the disclosure.

The health systems are each accused of failing to implement adequate and reasonable measures to protect the confidentiality of data, along with not taking steps to prevent unauthorized disclosure and failing to “follow applicable, required, and appropriate protocols, policies, and procedures regarding securing private Information.”

The patients are seeking “injunctive and other equitable relief.” It should clearly be noted that the alleged “actual injury” purported by patients is the “diminution in the value of [their] private information,” in addition to “lost time, annoyance, interference, and inconvenience” and “anxiety, emotional distress, and increased concerns for the loss of her privacy.”

On the surface, the lawsuit appears to fall within an increasingly concerning trend in the healthcare sector. Healthcare compliance stakeholders have warned that breach lawsuits in the sector have increasingly become modern ambulance chasing, even after the June 2021 Supreme Court decision asserting breach victims must provide evidence of concrete harm to pursue these cases.

Despite the decision, these lawsuits have actually increased in the last few years. A handful have been tossed due to the lack of harm, while many are settled out of court after years of mediation.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.