Advocate Aurora, WakeMed get served with class action over Meta's alleged patient data mining

Updated Nov. 4, 1:30 PM

Facebook parent company Meta is facing yet another class action lawsuit tied to the data scraping power of its Pixel tool in hospital and patient-facing websites. Advocate Aurora Health and WakeMed Health and Hospitals are both facing patient-led suits filed following two separate breach notices involving the technology.

Advocate Aurora informed 3 million patients in October that their sensitive health data may have been compromised and shared with Google, Facebook and the tech giants’ abundance of third-party vendors.

The complaint against Meta and Advocate Aurora was filed Oct. 28 in U.S. District Court in Chicago and accuses the defendants of violating the Electronic Communications Privacy Act, the Stored Communications Act and the Health Insurance Portability and Accountability Act by “knowingly and repeatedly intercepting, accessing and disclosing” personal and sensitive health information.

The 27-hospital system has not clarified when the technology was used on its websites. The complaint alleges that Advocate Aurora encouraged patients to use its patient portal “LiveWell” leading to the exposure of protected health information (PHI) and subsequent “serious mental injury, shame or humiliation to people of ordinary sensibilities.”

Alistair Stewart, an Advocate Aurora patient, filed the suit “individually, and on behalf of all others similarly situated.” The suit states that Facebook’s data policy applies an “honor system” where it asks that businesses using its technology “provide robust and sufficient prominent notice to users regarding the Business Tool Data collection, sharing and usage.” Furthermore, it asserts that “Facebook’s Meta Pixel contracts with healthcare providers such as Advocate fail to mention or comply with HIPAA.”

Google was not listed as a defendant despite Advocate Aurora informing patients that the company may have also accessed patient data.

WakeMed notified 495,000 patients of the same technology on their websites and that “the pixel’s software code may have also transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to Facebook.” In the late October announcement, WakeMed noted that the technology was in use on its website from March 2018 to May 2022.

The suit filed on Oct. 31 in North Carolina's Wake Country courts against WakeMed includes neither Meta nor Google as a defendant but does accuse WakeMed of violating “its duty of confidentiality to its patients” through the use of Pixel technology on its MyChart patient portal.

“Despite knowing the risk that it was unlawfully transmitting patients’ PHI, WakeMed chose to implement the Meta Pixel on its website and patient portal because it financially benefits WakeMed,” the lawsuit reads. “Specifically, WakeMed benefits from the ability to analyze its patients’ experience and activity on its website to assess the website’s functionality and traffic. WakeMed also gains information about its patients through the Meta Pixel that can be used to target them with advertisements as well as measure the results of advertisement efforts.”

Trace Widdle was listed as the primary plaintiff filing also on behalf of other affected patients. The suit states that WakeMed’s Notice of Privacy Practices outlining sharing PHI with HIPAA-compliant “business associates” does not include “business associates such as Facebook for the sole purpose of collecting consumer information for advertising and marketing purposes.”

The lawsuit also states that WakeMed enacted a “website privacy policy” two days after the health system sent a data breach notice to patients that informs users of Pixel-like technology being used on its site to collect information, although it does not mention the collection of PHI.

Both suits assert that the use of JavaScript code scraped sensitive information including IP addresses, emergency contact information and medical information including health history.

Updated Aug. 12, 10:30 a.m.

Northwestern Memorial Hospital has joined the list of hospitals and health systems facing legal complaints due to the alleged use of Facebook parent company Meta's data tracker on their patient portal. 

Michael Krackenberger, a patient of the hospital, filed a complaint on behalf of himself and others in the U.S. District Court for the Eastern Division of the Northern District of Illinois.

As laid out in similar class action cases against hospitals and the tech company, Krackenberger said in the suit that he became aware of Meta's collection of his personal data via Northwestern Memorial's online website as a result of an investigation published in June (see below). 

The plaintiff acknowledged in the complaint that Northwestern Memorial had previously released a statement saying that use of the data tracker was disclosed in its terms and conditions.

However, such waivers do not exempt the system from patient rights protections laid out in Illinois law, according to the complaint. The plaintiff also alleged that Meta's collection and use of private medical information for profit violated both state and federal information protection laws.

Krackenberger is seeking punitive damages of at least $5 million for himself and others harmed by the collection and use of their information.

Updated Aug. 2, 2:00 p.m.

A second class action lawsuit has been filed against Facebook parent company Meta related to allegations of hospital website data collection, this time also listing UCSF Medical Center and Dignity Health as co-defendants. 

An anonymous resident of Sacramento County, California and a patient of the healthcare organizations filed the suit in the U.S. District Court for the Northern District of California in late July.

Similar to the prior class action and research investigation from June, the plaintiff outlined "illegal information gathering" via a tracker called the Facebook/Meta Pixel embedded on hospitals' websites.

The defendant said in the complaint that her sensitive medical information was harvested by Meta through UCSF Medical Center and Dignity Health's patient portals.

She then "continued to have her privacy violated when her user data was used for profit by Meta when it allowed pharmaceutical and other companies to send her targeted advertising related to her medical conditions," according to the complaint. These advertisements were delivered on the defendant's Facebook page, in her email and in text messages, according to the case.

UCSF Medical Center and Dignity Health are listed in the filing because the healthcare providers "knew by embedding Meta Pixel ... they were sharing and permitting Meta to collect and use plaintiff's and the class members' user data, including sensitive medical information," according to the complaint. 

Updated June 21, 11:45 a.m.

Facebook parent company Meta was hit with a class action lawsuit late last week alleging the tech company has been collecting sensitive patient-status data through hospital websites in violation of the Health Insurance Portability and Accountability Act (HIPAA).

The case was filed on Friday in the Northern District of California by an anonymous patient of Baltimore’s Medstar Health System on the behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel tracking tool.”

The filing came just days after the publication of an investigation by The Markup detailing how the tech company’s analytics tool was found on roughly a third of the country’s top hospitals’ websites.

The report and the lawsuit detailed the tracker’s collection of identifiable information such as IP addresses and other potentially sensitive information including doctor names and recent web activity related to their health conditions. The two documents also said that patients using provider websites with the tracker would not have consented to the collection of these data.

While The Markup and experts cited in its group characterized the practices as a likely HIPAA violation, the class action was more explicit in its claims.

“Facebook is aware that it is receiving patient data from hundreds of different medical providers in the United States without patient knowledge, consent or valid HIPAA authorizations,” the plaintiff wrote in the lawsuit.

The plaintiff also said that they have identified “at least 664 hospital systems or medical provider web properties where Facebook has received patient data via the Facebook Pixel” as of the Friday filing.

The anonymous plaintiff asked the court to award compensatory and punitive damages related to an alleged breach of contract, constitutional invasion of privacy, violation of the Electronic Communications Privacy Act, violation of the California Invasion of Privacy Act and other allegations.

Fierce Healthcare has reached out to Meta for comment.

Facebook has been collecting potentially sensitive health data through a tracker that, until recently, was included in the online scheduling tools of roughly a third of the country’s top hospitals, according to a new report from nonprofit investigative newsroom The Markup.

Called the Meta Pixel, the tracker is an analytics tool Facebook’s parent company offers website owners. In exchange for social media advertising information, the tracker sends the tech company data on users’ IP addresses and webpage activity.

The Markup reviewed the appointment scheduling webpages of 100 leading hospitals and found the Meta Pixel on 33, according to the report. These hospitals collectively saw over 26 million patient admissions and outpatient visits in 2020, per American Hospital Association survey data cited by the publication.

The group also found the tracker within the password-protected patient portals of seven major health systems, five of which they were able to document sending the personal data of real volunteer patients.

IP addresses, doctor names, appointment times, medication information, search terms and connections to users’ Facebook accounts were all among the data being collected and sent to the tech company, according to the report, which was co-published with digital publication Stat. There were reportedly no specific contracts or other evidence that patients were providing consent to these data being collected.

Health privacy consultants and advocates cited in the report said they were troubled by the data collection practices but stopped short of definitively declaring the tracker to be a HIPAA violation.

The organization reached out to the hospitals and health systems that had the Meta Pixel on their webpages. As of the time of the report’s publication, seven hospitals and five health systems had removed the Meta Pixel from their webpage after being contacted.

Some reportedly replied to inquiries by referencing safeguards installed by Facebook to filter out sensitive health data prior to transmission. Some of these organizations still removed the tracker from their webpages.

The Markup noted a February investigation from the New York Department of Financial Services reporting the poor accuracy of Facebook’s sensitive data filtering system.

Facebook parent company Meta did not respond to questions from The Markup regarding how the data were being used but referenced its policy to remove potentially sensitive health data via the filtering tool.

Facebook also acknowledges that the Meta Pixel and other tracking tools collect users’ personally identifiable information in its business tools terms of service.