Facebook describes its Meta Pixel feature as a snippet of JavaScript code that users can put on their website. Once Pixel is installed, it tracks what forms website visitors click on, and what options users select from dropdown menus. Recently, The Markup/STAT released a report summarizing a test it ran on the 100 top hospitals in the United States.
The study found that one-third of these hospitals use Meta Pixel on their websites. More ominously, the study identified 7 hospital systems that had installed Meta Pixel on their patient portals behind password protection. Pixel, the study found, was transmitting sensitive patient data to Facebook. This information, which included patient conditions, could be tied to specific patients through their IP addresses.
One minor problem: The hospitals did not obtain consent from patients to track their data, nor did Meta have a business associate agreement with the hospitals, according to the allegations in a recent lawsuit. In late June of 2022, patient John Doe, on behalf of himself and other individuals, filed a proposed Facebook Pixel class-action lawsuit in federal court in Northern California. The Meta Pixel lawsuit alleges that Meta violated state and federal laws governing the collection of patient data without consent. Details of the Facebook Pixel lawsuit are provided below.
Meta Pixel Lawsuit: The Damage The Markup Found
The Markup found that Pixel exposed protected health information at some of the nation’s top hospitals. When The Markup clicked the “Finish Booking” button on a Scripps Memorial Hospital doctor’s page, Meta Pixel sent Facebook the name and specialty of the patient’s doctor, and the “dummy” patient’s first name, last name, email address, phone number, zip code, and city of residence that The Markup entered into the online booking form.
Meta Pixel Lawsuit: Facebook Goes (Back) to Court
When The Markup published its findings, public reaction was swift and adverse. Within days of the report a proposed class-action lawsuit was filed against Meta.
“Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook,” the Meta Pixel lawsuit alleges.
The Meta Pixel lawsuit claims this wrongdoing constitutes a breach of contract, an invasion of California’s constitutional right to privacy, and a violation of the federal Electronic Communications Privacy Act.
Facebook has not yet filed an answer to the Meta Pixel lawsuit. However, when it was asked to comment on the Facebook Pixel lawsuit allegations, it stated: “Facebook promises users, that “publishers can send us information through Meta Business Tools [such as] the Meta Pixel” but Facebook “require[s] each of these partners to have lawful rights to collect, use, and share your data before providing any data to us.” Facebook has also claimed that medical providers must obtain adequate patient consent before providing patient data to Facebook.
The Meta Pixel lawsuit complaint allegations state otherwise. In the Meta Pixel lawsuit, the plaintiff alleges that Facebook knowingly receives patient data—including patient portal usage information— from hundreds of medical providers in the United States that have deployed the Facebook Pixel on their websites. In the absence of a HIPAA business associate agreement between Facebook and the providers, the plaintiff alleges this knowing receipt violates both California and federal law.
In the Facebook Pixel lawsuit, the plaintiff John Doe specifically alleges that he is a patient of the Medstar Health System in Baltimore, Maryland. The plaintiff alleges that, in the course of receiving medical care from Medstar, he used the “MyMedStar” patient portal to review his lab results, make appointments, and communicate with his providers.
In the Facebook Pixel lawsuit, the plaintiff further alleges that, when he signed into the MyMedStar Portal, the Facebook Pixel tool secretly deployed on the webpage without his knowledge. Upon deployment, the Facebook Pixel caused data to be re-directed from the plaintiff’s device to Facebook. Facebook was able to capture the facts that the plaintiff had previously viewed a Medstar webpage about breast health; to capture the patient’s IP address; and to capture browser attribute information sufficient to fingerprint the plaintiff’s device.
More broadly, in the Facebook Pixel lawsuit, the plaintiff alleges that through Pixel, Facebook logs the following actions for medical providers:
- When a patient clicks to register for the patient portal
- When a patient clicks to log in to the patient portal
- When a patient clicks to log out of the patient portal
- When a patient sets up an appointment
- When a patient clicks a button to call the provider
- The specific communications a patient exchanges at the provider’s property, including those relating to specific providers, conditions, and treatments and the timing of such actions, including whether they are made while a patient is still logged-in to a patient portal or around the same time that the patient has scheduled an appointment, called the medical provider, or logged in or out of the patient portal.
In the Facebook Pixel lawsuit, the plaintiff seeks money damages, including punitive damages. Plaintiff, on behalf of the proposed class, also requests that the court order Facebook to stop using Facebook Pixel to collect patient information without patient consent or knowledge.
