Dive Brief:
- Two of the biggest hospital networks in Louisiana have been hit by class-action lawsuits alleging their websites used a tracking code that shared sensitive patient information with Facebook and Instagram.
- At issue is the hospitals’ use of the “Meta Pixel” website code, which potentially analyzed, gathered and shared the protected medical data of hundreds of thousands of patients, in violation of the HIPAA privacy law, the lawsuit alleges.
- The systems, LCMC Health in New Orleans and Willis-Knighton Health in northwest Louisiana, both said they were committed to patient privacy in statements provided to Healthcare Dive.
Dive Insight:
Pixel codes use a tracking script to collect and send an organizations’ data to its owner. That data is then generally used for marketing, targeting individuals with offers and advertisements based on their internet activity.
The lawsuit alleges that when patients clicked the “schedule an appointment” button on Louisiana hospital websites, Meta’s Pixel code captured information including medical conditions, prescriptions, doctors’ names and previous appointments, and sent that information to Facebook.
In one instance, a woman received online ads about heart disease and joint pain moments after entering her information on one of the hospital websites, according to law firm Herman Herman & Katz, which filed the class-action suits.
The use of Meta Pixel violates HIPAA, which prohibits covered entities like hospitals from sharing patients’ personal health information with a third party without explicit consent, according to the firm. Along with forcing LCMC and Willis-Knighton to stop use of the tracker, the lawsuit is also seeking that any profit the hospitals made from selling the data be repaid to the victims, said Herman Herman & Katz partner Stephen Herman in a video linked to the announcement.
“We are learning more and more about this shocking breach of trust as our investigation continues,” Herman said in a statement on the suit. “This was a gross invasion of privacy that went on for years.”
A spokesperson for LCMC Health said the system takes any implication that patient data has been shared inappropriately “with the utmost urgency.”
“We are aware of the pending lawsuit and intend to defend LCMC Health vigorously against the plaintiffs’ claims,” the spokesperson said.
Meanwhile, Willis-Knighton said it is “one of many hospitals” in the U.S. that have recently been sued regarding “the very common use of digital media marketing tools,” but that it does not comment on pending litigation.
Multiple lawsuits have been filed recently over breaches of protected health information, including by pixel tracking technologies. An investigation by Stat News and the Markup published in June found the tracking tool embedded in dozens of hospitals’ websites, including password-protected patient portals. Another probe from December found dozens of telehealth companies were also sharing sensitive medical data with social media giants.
Hospitals argue that third-party vendors help them track and evaluate the trends and preferences of patients who use their websites, and that they’re not always aware when pixel tools are pulling patient information back to their parent companies. For example, Advocate Aurora in October alerted patients in Illinois and Wisconsin that their data may have been breached due to tracking pixels.
Regulators have been increasingly cracking down over the sharing of sensitive consumer information. In January, the European Union fined Facebook about $414 million over its online ad targeting practices. And in the U.S., the FTC earlier this month fined digital health company GoodRx $1.5 million for sharing users’ health data with advertisers.
