Meta is dealing with one more class action lawsuit because of the illegal collection and disclosure of health information with no content. The Northern District of California received the filed lawsuit on behalf of the plaintiff Jane Doe. The lawsuit claims Meta and its firms, which include Facebook, were gathering the sensitive health information of millions of individuals without getting express permission and have utilized the data to serve people with targeted ads.
Jane Doe was a UCSF Medical Center and Dignity Health Medical Foundation patient. Allegedly, her sensitive health data was illegally taken by Meta when she inputted the data into the UCSF Medical Center patient website. UCSF Medical Center used Meta Pixel code on the pages of the patient website. Meta Pixel is a piece of JavaScript code that is employed to monitor site visitors. The code logs and sends to Meta the web pages that a user goes to. When the code is on a web page having a form, like those employed to reserve appointments, the choices from drop-down menus are logged and transmitted. Those options can reveal a patient’s health condition or why consultation was booked.
Jane Doe was served one targeted Facebook advertisement. Source: Jane Doe v. Meta Platforms, Inc. F/K/A Facebook, Inc., UCSF Medical Center, and Dignity Health Medical Foundation.
Jane Doe mentioned that she has been a Facebook user as of 2012 and claims her privacy was violated because her data was obtained and utilized without her authorization. The data inputted on the form was utilized by Meta to offer her targeted ads associated with her medical problem. The lawsuit claims HIPAA violation, as neither Dignity Health Medical Foundation nor UCSF Medical Center had signed a business associate agreement with Facebook or Meta, and Facebook, Meta, or the hospitals did not get content or notify patients that their data was being given to Meta to offer targeted ads.
With HIPAA, healthcare companies are allowed to reveal a person’s protected health information (PHI) to another HIPAA-covered entity or a third-party vendor if the reasons are associated with treatment, payment, or medical procedures, and in such instances, consent isn’t necessary from the patient. Many other disclosures call for a HIPAA-covered entity to sign a business associate agreement with the third party before sharing PHI, and consent is necessary from the persons whose PHI is shared.
In HIPAA, there is no private right of action, therefore it isn’t possible for people to file suit against healthcare companies for HIPAA violations, however, there are frequently comparable federal and state regulations that possess a private right of action. In this instance, the lawsuit has sixteen claims including
- common law invasion of privacy
- invasion of privacy
- intrusion upon seclusion
- breach of contract
- unjust enrichment
- breach of implied contract
- violations of the California Constitution, California Business and Professions Code, California Confidentiality of Medical Information Act (CMIA), California Invasion of Privacy Act, the Federal Wiretap Act, and the Comprehensive Computer Data Access and Fraud Act.
The lawsuit claims the plaintiff and class members have endured loss and damage because of the behavior of the defendants, which has limited the control of the plaintiff and class members on their important property, the capability to acquire payment for their information, the capability to hold back their information from the sale, and that the violations have led to permanent and incalculable damage and injuries. The lawsuit wants damages and equitable and injunctive relief.
The lawsuit creates the same allegations in another lawsuit submitted against Meta, which was filed by plaintiff John Doe, who was a MedStar Health patient in Maryland. The Markup lately looked into the sharing of healthcare information with Meta/Facebook through Meta Pixel on hospital sites and discovered that 33 of the 100 best hospitals in the U.S. put the Meta Pixel code on their sites, and 7 hospitals used the code on their patient websites behind logins, even though permission to share information was not acquired.