Heathcare Firm Was Aware That Using Meta Pixel Had Privacy Implications: Plaintiffs
Eisenhower Medical Center installed Facebook’s Meta Pixel tracking tool and other third-party tracking technology on its web properties in order to send users' private information to third parties such as Facebook or Google, allege plaintiffs B.K. and N.Z. in a Thursday privacy class action (docket 5:23-cv-02092) in U.S. District Court for Central California in Riverside.
Eisenhower Medical Center in Rancho Mirage, California, disregarded the privacy rights of millions of visitors to its websites by “intentionally, willfully, recklessly and/or negligently failing to implement adequate and reasonable measures” to safeguard users' personally identifiable information (PII) and protected health information (PHI), said the complaint.
Riverside County, California, residents B.K. and N.Z. were aware of the defendant’s duty of confidentiality when they sought its medical services, said the complaint. When they provided their private information to Eisenhower Medical, they had a “reasonable expectation that the information would remain confidential” and it wouldn’t share it with third parties for a commercial purpose “unrelated to patient care.” They relied “to their detriment” on the healthcare provider’s “uniform representations and omissions regarding protection privacy, limited uses, and lack of sharing of their Private Information," it said.
Now that plaintiffs’ sensitive personal and medical information is in the possession of third parties, they face a “constant threat of continued harm -- including bombardment of targeted advertisements based on the unauthorized disclosure of their personal data,” said the complaint. Collecting and sharing their sensitive information without consent or notice “poses a great threat to individuals by subjecting them to the never-ending threat of identity theft, fraud, phishing scams, and harassment,” said the complaint.
Once private information is shared with Facebook, it can’t be effectively removed, “even though it includes personal and private information,” said the complaint. Facebook is one of the largest advertising companies in the country, with over 2.9 billion active users, it said. The company began monetizing the platform in 2007 when it launched “Facebook Ads” that allow “advertisers to deliver more tailored and relevant ads.”
Meta’s revenue from advertising services was $28.6 billion in Q1. Ad targeting via Meta Pixel has been so successful because of Facebook’s ability to target people at a “granular level,” the complaint noted. In November 2021, Facebook acknowledged that “micro-level targeting” is “highly problematic” and said it was removing options involving “topics people may perceive as sensitive,” including health causes, it said.
The Pixel “acts as a conduit of information,” sending information it collects to Facebook through scripts running in the user's internet browser, said the complaint. The information is sent in data packets labeled with PII, including the user’s IP address. If the user has a Facebook account, the PII collected is linked to the user’s Facebook account, and “many common browsers will attach third-party cookies allowing Facebook to link the data collected by Meta Pixel to the specific Facebook user,” it said.
Alternatively, Facebook can link data to a user’s Facebook account through the Facebook Cookie, a “workaround to recent cookie-blocking techniques,” including one developed by Apple, to track users, the complaint said.
The complaint referenced a recent investigation saying Meta Pixel was installed inside password-protected patient portals of at least seven health systems. When a user navigates through the patient portal, Meta Pixel sends Facebook “sensitive data including, but not limited to, the User’s medication information, prescriptions, descriptions of their issues, notes, test results, and details about upcoming doctor’s appointments,” it said. Health privacy consultant David Holtzman said the investigation was “quite likely" a Health Insurance Portability and Accountability Act violation by the hospitals, the complaint said.
Eisenhower Medical was aware that incorporating the Meta Pixel onto its web properties would result in the disclosure and use of plaintiffs’ and class members’ PII and PHI, the complaint said. Software companies like MyChart that provide online access to medical records used by the defendant “specifically recommended heightened caution around the use of custom analytics,” it said, but the healthcare company continued to use the Meta Pixel on its web properties, it said.
The defendant “had the explicit option to disable" the Pixel technology on its web properties “but chose not to exercise this option, thereby continuing to share data with Facebook despite the availability of preventive measures,” it said. Meta advised third parties like Eisenhower Medical to “refrain from sending any information they did not have the legal right to send and expressly emphasized not to transmit health information,” but Eisenhower “in direct contravention of these disclosures,” and despite its promises to keep health-related data about patients confidential, “continued to employ Pixel tracking on its Web Properties, thereby sharing sensitive patient data without proper authorization or consent,” it said.
Plaintiffs claim violation of California’s Medical Information, Invasion of Privacy and Consumers Legal Remedies acts, its Unfair Competition Law, invasion of privacy; violation of California’s penal code and the Electronic Communications Privacy Act; negligence, breach of confidence, breach of fiduciary duty and unjust enrichment.
Plaintiffs seek orders requiring Eisenhower Medical to provide “clear information” about its data-collection practices for patients and users; requiring them to establish protocols for removing all PII that has been “leaked to Facebook” and other third parties; opt-out procedures for individuals who don’t want their information tracked when interacting with Eisenhower’s web properties; and requiring it to delete and purge user PII “unless Defendant can provide reasonable justification for the retention and use of such information when weighed against the privacy interests of Users.”