Patients Advance Meta Lawsuit Over Collecting Health Information

Meta Platforms Inc. must face a proposed class action alleging it collected the personal health information of patients without their consent in violation of state and federal privacy laws and against its own privacy policies, a federal court ruled.

Five anonymous plaintiffs allege in the consolidated lawsuit that Meta intercepted the health information of people with Facebook accounts by installing the Meta “pixel” on the patient portals of their health-care providers. Meta profited from the intercepted information by using it to deliver targeted ads, they said.

Judge William H. Orrick of the US District Court for the Northern District of California denied Meta’s motion Thursday to dismiss the plaintiffs’ claims of breach of contract, breach of the duty of good faith and fair dealing, unjust enrichment, and violations of the Electronic Communications Privacy Act and the California Invasion of Privacy Act.

Orrick granted the motion as to the lawsuit’s remaining claims and gave the plaintiffs leave to file an amended complaint.

The Meta pixel is a portion of code that tracks visitors’ activity on non-Meta websites, the plaintiffs said. When a patient communicates through a health-care provider’s website that has the pixel installed, it redirects the communication to Facebook, identifying them as a patient, their lawsuit alleged.

The plaintiffs allege that at least 664 medical entities use the technology, including their providers: MedStar Health System, Rush University System for Health, WakeMed Health & Hospitals, Ohio State University Wexner Medical Center, and North Kansas City Hospital.

Meta argued that the plaintiffs hadn’t sufficiently established the company’s intent to collect their information, a necessary element of claims under the two laws, but Orrick said the issue couldn’t be resolved before discovery had taken place.

“What Meta’s true intent is, what steps it actually took to prevent receipt of health information, the efficacy of its filtering tools, and the technological feasibility of implementing other measures to prevent the transfer of health information, all turn on disputed questions of fact that need development on a full evidentiary record,” he said.

The plaintiffs also sufficiently pleaded that the information Meta collected through the pixel qualified as “content of communications,” and that there were factual issues preventing the court from determining at this stage that the hospitals had consented to the transfer of health information to the company, he said.

The judge also found that the complaint’s references to specific provisions in Meta’s terms of service and privacy policy laid a sufficient foundation for their breach of contract claims, that they had adequately alleged that Meta breached its promises by failing to take steps to block the transfer of sensitive information.

Simmons Hanly Conroy LLP, Cohen Milstein Sellers & Toll PLLC, Kiesel Law LLP, Terrell Marshall Law Group PLLC, , and Gibbs Law Group LLP represent the plaintiffs. Gibson, Dunn & Crutcher LLP and Cooley LLP represent Meta.

The case is Doe v. Meta Platforms Inc., N.D. Cal., No. 3:22-cv-03580, 9/7/23.