Meta Sued for Collecting Patient Data



Meta is facing a lawsuit over alleged privacy violations in the use of its Meta Pixel tracker.

What Happened?

The Meta Pixel, a piece of code that makes it possible for businesses to track actions taken on their website, is present on about a third of the most popular websites, according to The Markup. This includes one third of the websites owned by the top 100 hospitals in the US. Upon investigation, it was found that the Meta Pixel had likely been collecting sensitive patient data from hundreds of hospital websites.

In an alarming study, researchers found that the Pixel was gathering personal information along with the text of any buttons they clicked on, the names of doctors, any patient conditions selected, and search terms. Some password-protected portals were also being scraped, collecting “the names of patients’ medications, descriptions of their allergic reactions, and details about their upcoming doctor’s appointments.”

In a general notice about sensitive data posted by Meta, the company says, “If Meta’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.”

Still, the plaintiff alleged that Meta was lacking in their efforts to ensure adequate consent was given by patients before their data was provided to Facebook. Researchers could not tell whether or not data was actually being removed before it was received by Meta.

How does HIPAA apply to this case?

Meta is not a covered entity under HIPAA law. However, for covered entities to legally share patient data with Meta, a Business Associate Agreement with Meta would have to be in place. According to the suit, “neither Facebook nor any of the hospitals that deployed the Facebook Pixel on their web properties procured HIPAA authorizations for the disclosure of patient status and health information to Facebook.”

Meta has faced similar lawsuits in the past, and it will be interesting to see how their methods for protecting privacy may change now. Looking back, the filtering system Meta now has in place was not launched until July of 2020, years after certain hospitals had installed the Meta Pixel on their websites. “And as recently as February of last year, the [New York Department of Financial Services] reported that the system’s accuracy was poor.” Now, hospitals are beginning to remove the Pixel from their websites, to keep their data safe.


If you have questions about Business Associate requirements and protecting patient data, contact your team at Medcurity.