That was fast. Class action game on! Today’s reports of a class action lawsuit being filed against Meta Friday in the US District Court for the Northern District of California in San Francisco is going to be only the first. The ‘John Doe’ plaintiff, a patient of Baltimore-based Medstar Health System and a Facebook user, claims that he is filing on behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel tracking tool.” Four law firms are involved in the lawsuit. It follows on last week’s investigative report by The Markup and STAT on the Meta Pixel tracker being used by 33 of the top 100 hospital systems [TTA 17 June].
The study indicates that the information gathered in the appointment booking form included IP address, doctor’s name, patient name, email address, phone number, zip code, and city of residence. When it’s put together with outside information, it can be considered a HIPAA violation.
The lawsuit alleges that the information was collected without consent. Neither Meta nor Facebook have a Business Associate Agreement (BAA) agreement in place covering them for gathering this information in any one of the 664 health systems using the Meta Pixel cited in the suit.
The suit requests compensatory and punitive damages for breach of contract, constitutional invasion of privacy, violation of the Electronic Communications Privacy Act, violation of the California Invasion of Privacy Act, and other allegations. The filing was captured by ReclaimTheNet.org. If you look at page 18, there are multiple statements from Meta/Facebook stating that advertising based on health is ‘inappropriate’, but then illustrates how Facebook goes ahead and does it anyway (!)
A small wrinkle: In a statement to HIPAA Journal, Medstar Health Systems claimed it does not use the Meta Pixel or any Facebook code on its website. It creates an issue of the plaintiff’s standing and harm.