Meta Sued Over Alleged HIPAA Violations
New Name, Ongoing Concerns
In 2021, Facebook rebranded itself as Meta to appeal to the younger generations choosing newer social media platforms. The rebrand was also an attempt by Facebook to distance itself from past privacy violations. However, a class-action lawsuit announced in June alleges Meta secretly collected the private healthcare data of millions of patients.
Under the 1996 US Health Insurance Portability and Accountability Act (HIPAA), Americans have the right to the protection and privacy of their health data. The class-action complaint accuses Meta of violating the Electronic Communications Privacy Act and other privacy laws by “intentionally intercepting” user data.
The lawsuit alleges a set of code called the Facebook pixel (also known as the Meta pixel) records and reports data to Meta when people visit certain medical websites. The collected data includes visitors’ IP addresses, which can then be used to link the visitors to their medical information.
The pixel code can be added easily to websites to help the website owners collect visitor analytics and to aid Meta in advertising to visitors. The Meta website explains, “Pixel is a piece of code for your website that lets you measure, optimize, and build audiences for your ad campaigns. When someone visits your website and takes an action, the Facebook pixel is triggered and reports this action.”
Research by The Markup
The alleged HIPAA violations were discovered and reported by The Markup, a nonprofit newsroom investigating how powerful institutions use technology to change society. The Markup found that 33 of Newsweek’s top 100 US hospitals sent sensitive data to Meta via pixel.
On one hospital’s website, selecting the Schedule Online button on a doctor’s page prompted the Facebook pixel to send Meta the text of the button, the doctor’s name, and the selected search term: pregnancy termination.
The Schedule Online Now button on another hospital’s website prompted the Facebook pixel to send Meta the text of the button, the doctor’s name, and the medical condition “Alzheimer’s” selected from a dropdown menu.
The Markup also found the Facebook pixel installed inside the password-protected patient portals of seven health systems.
A recent Markup joint investigation with Reveal Center for Investigative Reporting found that Meta’s sensitive information filtering system did not screen out information about appointments a reporter requested with crisis pregnancy centers. Meta engineers indicated in recent interviews that the sensitive data filtering system for the Facebook pixel is not yet fully operational.
HIPAA Security Rule
The alleged violations relate to the HIPAA Security Rule. According to the US Department of Health & Human Services website, “The Security Rule specifies a series of administrative, technical, and physical security procedures for covered entities to use to assure the confidentiality, integrity, and availability of electronic protected health information (ePHI).”
In this case, the alleged violations involve patients’ medical data combined with their IP addresses. When healthcare data is combined with identifiers such as IP addresses to match the data to specific patients, it becomes ePHI and is protected under HIPAA.
A Widespread Concern
While The Markup research focused only on the Newsweek top 100 hospital systems, many other healthcare providers and their business associates and contractors use Facebook pixel in their websites. Last year, The Markup found that 30% of the 80,000 most popular websites use the Facebook pixel, and Facebook has said millions of pixels are on websites across the Internet. According to Meta, “Pixel data can be stored for years.”
A leak of HIPAA-protected data, whether intentional or not, could be very costly and damaging to offenders. Any organization that is a covered entity or business associate under HIPAA should strongly consider requiring HIPAA training on a recurring basis. Information technology and social media marketing staff should be included.
The HIPAA online training series by Syntrio presents a sound overview of HIPAA through everyday scenarios, practical business exercises, and carefully crafted quizzes. Request a preview of the series today.