A federal judge has rejected a request by Meta users to prohibit the company from collecting or harnessing sensitive health data.
In an order issued Thursday, U.S. District Court Judge William Orrick said the allegations that Meta collected sensitive data were “troubling,” but that an injunction would be premature due to “factual uncertainties,” as well as the company's internal efforts to block receipt of the data.
Orrick added that his “perspective may evolve” as more facts come to light.
Orrick's ruling comes in a class-action complaint brought earlier this year by patients who alleged that Meta tracks their visits to hospital websites, and then monetizes the data collected from those sites.
The users, who are proceeding anonymously, sought a court order banning Meta from gathering or using patient information obtained from sites of health organizations covered by the Health Insurance Portability and Accountability Act.
They filed a complaint shortly after The Markup reported that 33 of the country's top 100 hospitals have Meta's tracking code, the Meta Pixel, on their sites. That code sends Facebook IP addresses of people who use the hospital sites to schedule a doctor's appointment, according to The Markup.
In addition, Meta potentially can draw on tracking cookies to identify some patients who are logged in to Facebook when they visit a hospital site, according to The Markup.
The users raised several theories in their complaint, including that Meta misrepresented its policies by claiming that publishers only send data to Meta if they have the legal right to do so.
The users contend that statement was untrue, given that the health sites that allegedly sent health data to Meta were covered by the Health Insurance Portability and Accountability Act, which prohibits doctors and hospitals from sharing information about patients without their consent.
Meta opposed the request for an injunction, arguing that it already takes “extensive measures” to prevent receipt of sensitive health data. Among other measures, Meta said it attempts to filter out potentially sensitive information.
“Meta does not want healthcare providers -- or any other website developers -- to send sensitive data to it,” the company said in papers filed with Orrick in October.
Orrick said in his ruling that the users “raise potentially strong claims on the merits and their alleged injury would be irreparable if proven.”
But he also said Meta presented evidence that has already invested in a filtering system, and that the company contends its existing systems are “the most effective and feasible methods” for it to prevent receipt of “potentially sensitive information at scale.”
Orrick noted in his decision that Meta said 15 employees, including four dedicated engineers, currently work on improving the system used to filter out health data that's sent through the Meta Pixel.
The judge also said there were too many unknowns to justify an injunction -- including how many hospitals use the Meta Pixel, and how successful Meta's filter is.
“In light of the systems in place that Meta has created to block receipt of this sensitive information and the factual uncertainties ... it is too early to find that the public interest supports a mandatory injunction,” he wrote.