Yahoo Finance Meta gathered people’s private medical data to show them ads on Facebook, lawsuit alleges
Meta is being sued for collecting data from US hospitals without users’ knowledge, two new lawsuits allege.
The claims focus on the Meta Pixel, which sends Facebook data whenever they click a button.
A recent report from The Markup found that the pixel was used on 33 of the top 100 hospitals in America. The data that is sent to Facebook includes an IP address, meaning that the user or their household could be identified.
At seven of these 33 hospitals, the pixel was installed on password-protected patient portals – sharing information including the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments. Some hospitals removed the pixels after The Markup’s report.
One lawsuit alleges that medical information was sent to Facebook via the pixel from the University of California San Francisco and Dignity Health patient portals, which resulted in her seeing adverts for her heart and knee conditions – some of which had no scientific support.
United States medical privacy law states that healthcare organisations need the patient’s consent to share identifiable information to outside groups, with the lawsuits alleging that Meta is knowingly not enforcing these policies.
Meta did not respond to The Independent’s request for comment before time of publication and did not answer questions sent by The Markup.
Instead, a spokesperson paraphrased the company’s sensitive health data policy: “If Meta’s signals filtering systems detect that a business is sending potentially sensitive health data from their app or website through their use of Meta Business Tools, which in some cases can happen in error, that potentially sensitive data will be removed before it can be stored in our ads systems”.
“I am deeply troubled by what [the hospitals] are doing with the capture of their data and the sharing of it,” said David Holtzman, a health privacy consultant who previously served as a senior privacy adviser in the US Department of Health and Human Services’ Office for Civil Rights, which enforces HIPAA, told The Markup.
“I cannot say [sharing this data] is for certain a HIPAA violation. It is quite likely a HIPAA violation.”
The lawsuits have not yet been certified as class actions, which a judge will need to do before they cand develop, but if they do, they could bring damages on behalf of all users whose medical providers have used the pixel.
