A US court has ruled that Meta, the owner of Facebook and Instagram, must face a lawsuit accusing the company of violating medical privacy of patients through its tracking tool, Meta Pixel.
The court has approved the class-action case for trial, which surrounds claims that Meta violated a federal wiretap law and a state law on privacy in California. The company also violated its own guidelines concerning user privacy on Facebook. According to the court decision, the proposed lawsuit “does not negate the plausible allegations that sensitive healthcare information is intentionally captured and transmitted to Meta”. The case seeks damages for all individuals whose private medical information was violated.
The controversy gained publicity in August last year following an investigation by The Markup, a nonprofit news organisation working on data-driven investigations. The outlet revealed 33 of the 100 hospitals in the US used Meta’s Pixel on their websites to maintain patient profiles. The investigation found that the tracking tool had been installed on the private patient portals held by at least seven hospitals. Critical information concerning health conditions, medical appointments, and medication was being funnelled to Meta through the Pixel software, according to the investigation.
The report published by The Markup quoted Meta and the hospitals as saying that they had no such contracts in place. The newsroom found no substantial evidence that confirmed if Meta had obtained patient’s informed consent before collecting their medical information, which indicated the tech giant had indeed harvested critical patient data without their knowledge. The Markup stated, however, that it could not be determined whether the data was used by Meta itself for targeted advertising across its social media platforms.
The lawsuit, on the other hand, claims that sensitive data from the private portals of patients was sold to advertisers, who used it for targeted advertising related to treatments and and medicines on Facebook. In light of the lawsuit, Meta stands in violation of the US Health Insurance Portability and Accountability Act (HIPAA), which bars medical facilities from sharing personally identifiable health information with external entities without obtaining patients’ informed consent.
One particular complaint cited in the lawsuit claimed that a patient started receiving ads related to her heart and knee conditions which she had entered in her portals on the websites of two hospitals. Although Meta claims its “filtering mechanism is designed to prevent potentially sensitive health-related data from being ingested into its ads ranking and optimization systems”, it has time and again violated its own guidelines, finding itself being dragged through the courts and amassing millions of dollars in fines in various markets.
In Europe, Meta has accreted almost a billion dollars in penalties in just over two years from the Irish regulator alone over privacy violations under the General Data Protection Regulation (GDPR).
