Meta is hit with a class-action lawsuit for illegally collecting medical data

Last week, Facebook parent Meta was hit with a class-action lawsuit. It is accused of collecting sensitive patient status data through hospital websites in violation of the Health Insurance Portability and Accountability Act (HIPAA).

An anonymous patient from Medstar Health in Baltimore, Maryland, has filed a lawsuit against Meta on behalf of "millions of victims whose medical privacy was illegally harvested by Facebook's Meta Pixel tracker. Medstar Health, Inc. is the largest not-for-profit healthcare organization in Maryland and the Washington area.

This comes after The Markup, a nonprofit tech survey site, published a survey detailing how they discovered Meta's patient data tracker on several top hospital sites. The data tracker, called the Meta Pixel, is an analytics tool provided by Facebook's parent company for website operators.

In exchange for social media advertising messages, the tracker sends Meta data about the user's IP address and web page activity, including the name of the patient's primary physician, recent web activity related to the patient's health, and more.

The Markup looked at the websites of 100 top hospitals and found the Meta Pixel on the websites of 33 of them, the report said. More than 26 million patients were treated at these hospitals in 2020, according to The Markup citing data from the American Hospital Association.

The Markup also found trackers in the password-protected patient portals of seven major health systems, where trackers were able to record personal data from patients who sent real volunteers.

Both The Markup's investigative reports and lawsuit filings detail identifiable information collected by the Meta patient data tracker (such as IP addresses, etc.) and other potentially sensitive information, including the name of the patient's primary physician and recent online activity related to the patient's health status.

The documents also said that patients at those hospitals whose websites had trackers refused Meta's collection of their medical data. "Facebook knew that it was not authorized by HIPAA to obtain patient data from hundreds of different healthcare organizations in the United States, and patients were unaware of it," the plaintiffs said in their lawsuit.

The plaintiffs also said that, as of Friday's filing, they had determined that Facebook received patient data from at least 664 medical institutions through the Meta Pixel tracking tool.

Plaintiffs are asking the court to award compensatory and punitive damages to Facebook's alleged breach of contract, constitutional invasion of privacy, violation of the Electronic Communications Privacy Act, violation of the California Invasion of Privacy Act, and other allegations.