At least 664 hospital system or medical provider websites have sent data to Facebook via its Pixel tracking tool, alleges one complaint filed in California federal court by someone referred to as “John Doe.” Another complaint filed by “Jane Doe” claims that Facebook showed her targeted ads related to her heart disease and joint pain.
Both potential class actions raise the specter that care sites’ data-sharing may run afoul of the Health Insurance Portability and Accountability Act, or HIPAA, the federal law that protects the privacy of personal health information held by medical providers. Only the US government can sue under HIPAA, though. So the Doe complaints accuse Meta and health care providers of violating other state or federal laws that focus on invasions of privacy or consumer protection.
The cases illustrate the challenge of building guardrails around health-related data online—not just on public-facing websites, but also within patient portals—and serve as a warning to companies that use similar tracking technology. The websites at issue allegedly shared information related to scheduling appointments with a doctor and reviewing test results.
“If you walk into their office, you have to sign a HIPAA form. With Pixel, there’s no such thing,” said Carol Villegas, a partner at Labaton Sucharow LLP who is representing consumers in a similar data-sharing case brought against a period-tracking app from Flo Health Inc.
Attorneys say patients may falsely assume that because health-related information is protected, it’s not being disclosed.
“These hospitals have an obligation to patients to provide them with notice on where their medical information is going,” Villegas said.
Leaving a digital trail that could reveal private health information has taken on new weight since the US Supreme Court overturned a federal right to abortion in a case known as Dobbs v. Jackson Women’s Health Organization. In states that make it a crime to terminate a pregnancy, law enforcement could seek such data as evidence.
“Dobbs has really added another dimension to this whole issue,” said Dianne Bourque, former in-house counsel for an academic medical center who’s now a member of law firm Mintz, Levin, Cohn, Ferris, Glovsky and Popeo PC.
Facebook’s corporate parent Meta says websites or apps that use Pixel aren’t meant to send sensitive health information to the company. That includes information such as medical conditions or treatments and mental health status. If such data is sent by mistake, the tool is designed to filter out sensitive information and prevent the data from feeding into ads.
“Yet Facebook is still getting information,” said Jeffrey Koncius, a partner at Kiesel Law LLP who represents John Doe in his Pixel data-sharing suit.
Koncius previously worked on a case that was brought over data shared via Facebook code installed on websites for the American Cancer Society, the Cleveland Clinic, and other health-related organizations. It was dismissed on grounds that Facebook users agreed to tracking when they signed up for accounts, he said, but some of the hospitals named in the suit removed the code from their websites after it was filed.
The Doe class actions over Pixel data-sharing are both in the US District Court for the Northern District of California. The cases are still in initial stages, meaning they’ll face questions on whether the plaintiffs have standing to bring claims under the laws they cite and whether those claims are convincing enough to survive early dismissal.
Both suits are seeking damages paid to consumers. One of the state laws Jane Doe sued under, the California Confidentiality of Medical Information Act, allows for damages of $1,000 per violation.
The California court also could force hospital systems named in the suits to clearly disclose that their websites share information with Meta, lawyers say. Another possible outcome would be for the judge to order that Meta must delete health information that shouldn’t have been used for targeted ads.
Dignity Health Medical Foundation, named in the Jane Doe suit, didn’t respond to a request for comment. A spokeswoman for University of California, San Francisco Medical Center, also named in the suit, declined to comment on pending litigation.
John Doe is a patient of
“Protecting the privacy of our patients is a responsibility we take very seriously,” the spokeswoman said.
Boston-based Mass General Brigham health system agreed to pay $18 million earlier this year to settle another class action over the use of web analytics tools that collected data about visitors to its site without the users’ permission.
That case is notable because Massachusetts hasn’t yet adopted a comprehensive state privacy law like California and some other states have, said Odia Kagan, a privacy and data security-focused partner at Fox Rothschild LLP.
Even without such a law, lawyers leading class actions are finding innovative ways to invoke existing laws written to protect consumers from fraud or to limit wiretapping, as well as common law doctrine governing invasion of privacy or breach of contract.
“This is a trend,” Kagan said.
The Department of Health and Human Services enforces the federal health privacy law by investigating complaints and imposing fines and other penalties for privacy violations. When asked about the Doe lawsuits over Pixel data-sharing, a spokesperson for HHS said the agency’s Office for Civil Rights doesn’t comment on open or potential investigations.
It’s not unusual for health care providers to use a web analytics tool to find out where visitors to their site come from, what they click on, or how long they spend on a page, according to Mintz’s Bourque.
“If the Pixel [tool] is inside a patient portal gathering data that’s tied back to a patient’s Facebook page, that’s where the problem may be,” she said.
Being able to send Facebook users targeted ads about their health would mean the data wasn’t stripped of identifying information, she said.
HIPAA protects the privacy of individually identifiable health information by permitting only certain uses and disclosures of data—such as for research purposes—as long as the data can’t be linked back to a particular patient. Releasing data that’s not properly de-identified could trigger liability for a HIPAA breach.
The two California cases also highlight misunderstanding about how HIPAA protects health information. The federal law only covers health information that’s in the hands of health care providers, insurers, or other entities subject to the law.
“People assume because it’s health-related that it must be protected and therefore is not being disclosed,” Kiesel Law’s Koncius said. “It’s a false sense of security, though. Because while HIPAA applies, the data is being disclosed nevertheless.”