Meta Faces Legal Firestorm As Hospitals Cite Its Pixel Tool In Health Data Breaches

Two health systems have become the latest healthcare organizations to name a web tracking tool created by Meta (formerly Facebook) as responsible for their data breach.  This comes as the social media giant faces a growing number of lawsuits alleging that the tool improperly collects and sells sensitive patient health information.

Both of the recent incidents, which were announced in mid-October, involved a Meta tracking tool known as Meta Pixel. Meta Pixel is a snippet of JavaScript code that allows companies to track visitor activity on their website. It works by loading a small library of functions that companies can use whenever a site visitor takes an action. What makes the tool questionable is that in addition to tracking web activity, it sends some of the data it gathers to Meta.

According to research by The Markup,  Meta Pixel is currently in wide use. To get a sense of how widespread use of the tool is within hospitals, the site tested websites for Newsweek’s top 100 hospitals in America. The researchers found that 33 of the sites had Meta Pixel in place, and that seven major health systems were using the tool within patient portals.

However, Meta is facing a backlash related to the data Meta Pixel sends home, as well as how it uses the data.

One hospital chain which blames Meta Pixel for a data breach is Advocate Aurora Health, which operates 26 hospitals across Wisconsin and Illinois. AAH just informed its patients that due to an incorrectly configured version of Pixel, the health system exposed personal data on 3 million patients.

When patients used AAH portals available through MyChart and LiveWell – in addition to some of its scheduling widgets – the systems seem to have leaked PHI to Meta, especially if the users were logged into Facebook or Google accounts.

Another health system citing Meta Pixel for data exposure was three-hospital chain WakeMed Health and Hospitals, which placed Pixel on both its corporate website and its MyChart portal in March of 2018.

The health system recently found that Pixel might have transmitted data entered in MyChart back to Facebook. WakeMed’s leaders reported that they weren’t sure whether sensitive patient data got sent to Facebook, but nonetheless disabled the tool in May 2022.

Previously, in August of this year, hospital chain Novant Health disclosed a data breach affecting roughly 1.4 million individuals in which Meta Pixel collected sensitive patient information and sent the data home.

Meanwhile, Meta has been hit with at least three separate class action suits contending that the Meta Pixel tool played a role in alleged illegal information gathering.

According to reporting in Fierce Healthcare, a class action was filed in June on behalf of an anonymous patient of Baltimore’s Medstar Health System contending that Meta has violated HIPAA by collecting patient status data, including IP addresses, doctor names and recent health-related activity.

In August, Meta was hit with a second class action lawsuit citing UCSF Medical Center and Dignity Health as co-defendants.

In the complaint, the patient said that Meta harvested sensitive medical information through UCSF and Dignity Health’s patient portals, then sold the data to pharmaceutical and other companies which fed her targeted advertising related to her medical conditions.

Also in August, a patient filed a class action lawsuit against Northwestern Memorial Hospital, arguing that while the provider had disclosed the use of the data tracker in its terms and conditions, the waiver didn’t release Northwestern from state-level privacy protections. It also alleges that Meta had violated state and federal data protection laws by collecting and selling private medical information.

The plaintiff is asking for punitive damages of $5 million or more for himself and others similarly situated.

About the author

Anne Zieger

Anne Zieger is a healthcare journalist who has written about the industry for 30 years. Her work has appeared in all of the leading healthcare industry publications, and she's served as editor in chief of several healthcare B2B sites.

1 Comment

  • Meta should be out of business for their practices. As an Advocate Aurora patient, I got the letter and hundred is spam calls to my phone in the past 2 weeks.

Click here to post a comment
   

Categories