Pixel Violates Patients' Privacy Rights, Says Newly Severed Complaint

The use by the University of California San Francisco Medical Center of Mega Pixel tracking technology in its My Chart online patient portal is an “extreme invasion” of plaintiff's and class members’ right to privacy and violates state statutory and common law, said a class action filed Thursday in U.S. District Court for Northern California in San Francisco.

The complaint is the result of a Nov. 21 order by Judge William Orrick to sever the case, and one against Dignity Health, into separate actions. Orrick consolidated all the cases against Meta in October (see 2212220032).

Thursday's class action brought by Sacramento resident "Jane Doe" notes when Meta Pixel, a snippet of code, is embedded on a third-party website, it tracks each user’s activity on that website and sends the data to Meta, which stores information on its server in some instances “for years on end,” the complaint said. The complaint noted Mega Pixel’s ability to track and log each page a user visits, the buttons they click and specific information they input into the website, such as answers to questions or inputs to a form requesting health information.

The plaintiff, referred to UCSF for cardiology assessment and high blood pressure, was advised to use the MyChart patient portal to make appointments, track results and communicate with doctors. She didn’t know the defendant “disclosed and allowed” Meta to intercept the data, which it “associated with Plaintiff’s Facebook account and other information for use in targeting her with advertisements,” the complaint said.

The plaintiff subsequently received targeted ads for medications and treatments related to the medical conditions she was treated for at UCSF on her Facebook page, in email and by text, the complaint alleges. A screenshot in the complaint shows a sponsored Facebook ad related to heart disease.

UCSF's use of the Meta Pixel on its website and MyChart patient portal led to sensitive health information about class members’ medical conditions, appointments, treatments, messages to health care providers and user data being sent to Meta without their consent, plaintiffs allege. UC Regents knew by embedding the Meta advertising tool that they were “disclosing and permitting Meta to intercept and use” members’ user data, including sensitive medical information, it said.

The UCSF privacy statement says personal information is not disclosed without a patient’s consent and that disclosures of health information for marketing purposes “are strictly limited” and require written authorization, said the complaint.

The complaint referenced an April Vice article citing leaked Meta documents, including one from an employee saying the company doesn’t have an adequate level of control over how its systems use data, “and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’” The complaint also alleges MyChart warned UC Regents about the use of custom analytics scripts such as Meta Pixel.

Personal medical information is a “gold mine” for health care companies, said the complaint, citing Experian. A single social security number might sell for $0.53 vs. a complete health record for $250 on average, the complaint said, citing Invisibly, which said health care records have been proven to be of particular value to data thieves.

The plaintiff alleges UCSF violated the California Invasion of Privacy Act and Confidentiality of Medical Information Act, with additional claims of breach of contract, intrusion upon seclusion and unjust enrichment. The plaintiff seeks certification of the case as a class action with nominal, statutory, punitive damages, awarding of litigation expenses and injunctive and declaratory relief.