On October 28th, 2022, in the U.S. District Court of Chicago, a complaint was filed against Meta (Facebook) and Advocate Aurora after it was discovered that approximately 3 million Advocate Aurora patients had had their sensitive health information compromised and shared with Meta, Google, and many of the third-party vendors that work directly with these two tech companies.
The private and sensitive health data was collected through the Facebook Meta Pixel tool, a small piece of JavaScript code that allows businesses to track visitor activity on their websites. The Meta Pixel tool is said to have been used on both the customer-facing websites as well as the Advocate Aurora secure portal, LiveWell.
LiveWell is a secure personalized portal where Advocate Aurora patients can schedule appointments, receive test results, obtain subscriptions and access vital information regarding their medical conditions. All of this information was then collected with the Meta Pixel tracking tool and shared with Facebook, Google, and subsequently, many third-party vendors.
The lawsuit in Chicago filed against Meta and Advocate Aurora accuses the defendants of violating the Electronic Communications Privacy Act, the Store Communications Act, and the Health Insurance Portability and Accountability Act (HIPAA). The complaint also alleges that Meta knowingly and repeatedly violated these acts by intercepting, accessing, and disclosing personal and sensitive health information.
Alleged HIPAA Violation May Be Widespread
This lawsuit in Chicago, and many others like it, including complaints against WakeMed in North Carolina, Northwestern Memorial Hospital in the U.S. District Court for the Eastern Division of the Northern District of Illinois, and two separate lawsuits filed in California federal court, all follow an in-depth investigation conducted by The Markup online publication.
The Markup investigation revealed in June 2022, that 33 of the top 100 hospitals in the United States used the Meta Pixel tracking tool on their websites. The article alleges that the Meta Pixel tracking tool then harvested the personally identifiable information and personal health information of patients and transmitted it back to Meta. Meta was then able to link the information back to the personal Facebook pages of patients and send targeted ads to these individuals based on the personal health information collected.
Soon it was discovered that the Markup investigation was only the tip of the iceberg. More investigations followed Markup’s June 2022 article, and these investigations found out just how widespread the issue actually was. The follow-up investigations helped to realize how many different healthcare systems were parties to the same privacy violations through the use of the Meta Pixel tracking tool on their websites.
For example, the lawsuits mentioned above that were filed in California federal court helped to identify more than 664 hospital system and medical provider websites that had sent data to Meta using the Pixel tracking tool. It is expected that many more complaints will be filed and that many congressional investigations will soon follow.
How does social media data collection affect patient privacy?
There are many greater implications of this type of data collection being used to harvest extremely sensitive medical information about patients. The main implications to be concerned with are who has access to the information and how they use it.
This gives states the right to adopt state legislation that can put restrictions on or outright ban abortions in their state. Some states are not only implementing total abortion bans, but they are also exploring ways that they could place restrictions on traveling to other states to have abortions and put those who have or those who perform abortions in prison for murder.
Could sensitive medical information about pregnant women that is harvested through social media data collection be used by law enforcement to keep track of pregnant women and be used by law enforcement to identify women who have traveled to other states to have abortions? Could the information collected be used to identify doctors who have performed abortions in the past and place them under surveillance?
The greater implications of how harvested medical data can be used are almost dystopian, and as we have learned, social media companies like Meta are not immune to their own cyber breaches and data leaks. What if cybercriminal organizations can steal this type of medical data and sell it to the highest bidder?
The bottom line is, sensitive medical data that falls into the wrong hands could be used maliciously and tech companies should not have access to this type of information in any way. HIPAA was created for a reason, and all companies and healthcare providers need to act in accordance with the rules and regulations set forth by the law.
What are the greater implications of social media data collection on HIPAA compliance?
Currently, the Department of Health and Human Services is investigating all complaints related to Meta Pixel and the data collection and sharing that occurred as a result of healthcare providers using Meta Pixel on their sites.
HIPAA was specifically designed to protect the privacy of individually identifiable health information, and if Meta Pixel is releasing data that is not de-identified in order to run targeted ads on Facebook and Instagram about personal health conditions, then a major HIPAA breach has occurred. It is then up to the Department of Health and Human Services to impose fines and other penalties for all parties involved in the HIPAA breaches.
For healthcare providers, legal and compliance teams need to be working hand-in-hand with IT and information security teams to ensure that pixels or web beacons are being properly configured and they are not transmitting personal information and medical data to third-party companies in violation of HIPAA.
At the same time, these healthcare legal and compliance teams need to keep track of all new and existing broad-based domestic and international patient privacy regulations and ensure they are 100% compliant to avoid fines, penalties, and possible prosecution.
What efforts are being made to regulate tracking pixels?
Currently, the main efforts being made to regulate tracking pixels like the Meta Pixel are in development. Numerous lawsuits are pending in courts throughout the United States that will shape the way that Meta Pixel and other tracking pixels operate in the future. Additionally, congress has begun several investigations into what kind of information is collected by Meta Pixel and other tracking pixels and how that information is used. Decisions in these court cases and possible legislation as a result of congressional investigations may continue to unfold throughout 2023.
Get Our Handy HIPAA Compliance Checklist!
