Facebook on Friday was hit with a lawsuit alleging it violates users' privacy by collecting and monetizing sensitive medical data from hospital websites.
“Facebook knows (or should have known) that its pixel tracking tool is being improperly used on hospital websites resulting in the wrongful, contemporaneous, re-direction to Facebook of patient communications,” a Maryland resident and MedStar Health patient proceeding as an anonymous “John Doe” alleges in a class-action complaint filed Friday in U.S. District Court for the Northern District of California.
The lawsuit comes one day after The Markupreported that 33 of the country's top 100 hospitals have a Meta pixel -- used for tracking -- on their sites. That pixel sends Facebook IP addresses of people who use the hospital sites to schedule a doctor's appointment, according to The Markup.
Researchers at the news organization said they found the Meta pixel “inside the password-protected patient portals of seven health systems.”
The hospitals may have violated the Health Insurance Portability and Accountability Act, which prohibits doctors and hospitals from sharing information about patients without their consent, according to The Markup.
That law doesn't itself restrict Facebook from sharing data.
But, according to the complaint, Facebook told users that publishers only send data to Facebook if they have the legal right to do so. In other words, Facebook allegedly misrepresented its policies by collecting information from outside websites that weren't supposed to disclose the information.
“Facebook knowingly receives patient data -- including patient portal usage information -- from hundreds medical providers in the United States that have deployed the Facebook Pixel on their web properties,” the lawsuit alleges.
“Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook,” the complaint continues.
“John Doe” also alleges that Facebook harnesses the medical data by allowing advertisers to target users based on specific health conditions.
The lawsuit claims Facebook broke its contract with users and also violated California privacy laws and the federal wiretap law.
Facebook previously defeated claims that it violated users' privacy by collecting health-related data from outside websites like the American Cancer Society via the “Like” button. But in that matter, the 9th Circuit Court of Appeals said the type of general web-browsing data allegedly collected wasn't covered by the federal health privacy law.
“Information available on publicly accessible websites stands in stark contrast to the personally identifiable patient records and medical histories protected by these statutes -- information that unequivocally provides a window into an individual’s personal medical history,” the 9th Circuit judges wrote in a 2018 ruling.
The court in that case also upheld a finding that Facebook users consented to the data collection by accepting the company's terms of service, which disclosed that it collects data from outside websites.