Facebook’s parent Meta is facing a class-action lawsuit that claims the company has been harvesting users’ sensitive health information through patient portals online for the purposes of targeted advertising.
The lawsuit comes from an anonymous user, “Jane Doe,” who alleges Meta began serving her targeted ads related to her medical condition after she used the patient portals at The University of California, San Francisco Medical Center (UCSF) and Dignity Health. BleepingComputer was first to report the news.
The lawsuit focuses on an advertising tool from Facebook’s parent called Meta Pixel. The system acts as a snippet of JavaScript computer code that companies can embed on their websites. In return, Meta Pixel can track user “conversions” to Facebook ads, to judge whether visitors are really clicking on them.
The tool can also let companies see what actions visitors are taking over a website, such as adding an item to their shopping cart, or when a search is being made. However, the lawsuit alleges the same tool can allow Meta “to surreptitiously gather every user interaction” with a website, since user consent is never asked.
“Alarmingly, Meta Pixel is incorporated on websites that are used to store and convey sensitive medical information intended to stay private. For example, Meta Pixel is embedded on the websites of 33 of the top 100 hospitals in America,” the lawsuit says, citing an investigation from The Markup, which focused on the potential privacy violations of Meta Pixel back in June.
The complaint then goes on to claim Meta’s pixel technology can collect information about a patient’s health conditions, diagnoses, and test results through the health providers’ websites. In addition, the Pixel tool is allegedly embedded on “password-protected patient portals of at least seven health systems.”
“Meta knows that the user data collected through its Pixel on healthcare defendants’ websites includes highly sensitive medical information but, in reckless disregard for patient privacy, continues to collect, use, and profit from this information,” the lawsuit alleges.
In the case of Jane Doe, the user entered information about a heart and knee condition into a health provider’s website. Facebook then subsequently began showing her ads about fighting heart disease and joint pain, the lawsuit claims.
Meta did not immediately respond to a request for comment. But the company says it has policies in place to filter out sensitive health information from its ad systems. However, a recent investigation from The Markup found the filtering can still collect obvious sexual health information when the Meta Pixel is embedded over a website.
The class-action lawsuit is demanding Meta pay up for damages and cease with the data collection, saying the users' health information is protected under the Health Insurance Portability and Accountability Act (HIPAA).