Privacy, Supply chain, Data Security

Meta punts pixel tool responsibility, says privacy fault is on providers 

A Meta logo is seen on a smartphone in front of a Facebook logo

In what’s become a contentious issue over the last year, Meta is placing the blame of alleged hospital data scraping squarely on the shoulders of the healthcare providers that deployed the Pixel analytics tools on their websites without considering the possible third-party data sharing.

A motion to dismiss filed in a federal California court late last week said the individuals who brought the class action lawsuit against Facebook accusing the social media giant of collecting hospital website data and violating the medical privacy of millions of patients, are “missing the point.”

“It’s ultimately the developer, not Meta, that controls the code on its own website and chooses what information to send,” according to the May 5 filing. The lawsuit attempts “to distract the court from these points by detailing the ways in which Meta allegedly encourages businesses in the healthcare sector to use its business tools."

Companies can use the Pixel tool without sending health data to Meta and are expected to use the tool in compliance within Meta’s terms, the company argues. The company also claims to use filtering tools that screens out health data and alerts the developer so they can check configurations of the Pixel "and fix any issues.

"There's nothing inherently unlawful or harmful" about the "technology at the heart of this case," Meta claims.

The “grab-bag complaint” that alleges “13 causes of action, ranging from ‘wiretap’ violations to larceny to trespass,” don’t fit the narrative of their claims. Namely, that it’s Meta that “should be held liable for certain healthcare providers’ alleged misuse of a publicly available tool.”

In short, “Meta did not implement or configure” Pixels on the providers’ websites. Thus, their arguments, squarely centered on Meta’s intent to gather health data, “fail” and “are poor vessels for the misguided theory” posed by the individuals.

The filing is a sharp rebuttal to a year-long railing against Meta for the manner in which its Pixel tool has allegedly enabled the inadvertent sharing of health data to third-party companies by the hospitals and healthcare providers that used the tools to better understand the needs of their users.

Filed in June 2021, the lawsuit claims Meta “knowingly receives patient data — including patient portal usage information — from hundreds of medical providers in the U.S. that have deployed the Facebook Pixel on their web properties.” The data is then allegedly monetized by the company by generating “highly-profitable targeted advertising on- and off-Facebook.” 

At the time of the initial filing, the plaintiffs’ legal team identified at least 664 hospital system or medical provider websites where the Pixel allegedly obtained health data for Facebook. But an April 2023 report found nearly all hospital websites routinely transfer patient data through tracking tools and cookies, including those tied to Facebook, Google and other tech companies.

As reported by SC Media, providers deploying these tools were likely unaware of the risk posed by Pixels or whether the marketing team had deployed them in the first place.

The Department of Health and Human Services has already warned providers that Pixel use without a business associate agreement violates the Health Insurance Portability and Accountability Act. The use of these tools pose a serious violation of patient privacy, particularly in instances that lead to targeted advertising for specific health conditions.

Kaiser Permanente is the latest healthcare provider to be sued by a patient for its alleged use of tracking tools. The massive health system has not issued a breach notice tied to Pixel use. But the May 5 lawsuit claims the installed code shares patients’ health data with Quantum Metric, Twitter, Adobe, Bing and Google.

The data allegedly shared with these third parties includes “identifying information, medical topics researched, choices made, information shared and communications with their medical providers, including personally identifiable medical information and other confidential information and communications, when that information is in transit.”

Much like the Meta class action suit, the lawsuit language also includes references to “wiretapping.”

As such, the court’s forthcoming decision on Meta’s motion to dismiss could have serious impacts on dozens of lawsuits filed against Meta, Google, and the healthcare providers that have reported inadvertent data disclosures through the use of Pixels.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.