December 7, 2022
Governance & Risk Management , HIPAA/HITECH , Legislation & Litigation Meta Says Measures Are Already in Place to Prevent the Collection of Sensitive Data Marianne Kolbasuk McGee (HealthInfoSec) • November 10, 2022     A U.S. federal district judge expressed skepticism in court over assertions from Facebook attorneys that the social media giant doesn't collect…

Governance & Risk Management , HIPAA/HITECH , Legislation & Litigation

Meta Says Measures Are Already in Place to Prevent the Collection of Sensitive Data Marianne Kolbasuk McGee (HealthInfoSec) • November 10, 2022    

A U.S. federal district judge expressed skepticism in court over assertions from Facebook attorneys that the social media giant doesn’t collect health data without consent from patients.

See Also: OnDemand | API Protection – The Strategy of Protecting Your APIs

Facebook parent Meta faces a proposed consolidated class action lawsuit in San Francisco federal court alleging it violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.

Plaintiffs asked U.S. District Judge William Orrick on Wednesday afternoon to enjoin Meta from “intercepting patient information and communications” from HIPAA-covered entities through the use of Pixel.

The lawsuit seeks damages and forms part of a wave of pressure against Meta regarding its collection and use of medical data that built up this summer following the Supreme Court’s overturn of precedent guaranteeing nationwide access to abortion. The ruling, known as Dobbs, increased concerns that tech companies track and possibly disclose to third parties individual health data (see: Pressure on Meta Mounts Over Pixel Collecting Health Data).

At least two healthcare entities have reported their use of Pixel as a HIPAA breach – North Carolina-based WakeMed Health and Hospitals and Advocate Aurora Health, a Midwest health system.

During the Wednesday court session, Orrick responded to Facebook outside attorney Lauren Goldberg of Gibson, Dunn & Crutcher after she told him that Facebook’s “generalized disclosures say that when you travel around the web and interact with websites, they can send your information [to Meta].”

The disclosures “don’t say anything about your health information,” Orrick said. “I think that’s the kind of thing that a reasonable Facebook user would be shocked to realize – if what the plaintiffs are saying is true … and I take you’re saying it is not … but if it was, then I think it’s a big problem that there is not a specific consent for health data.”

‘Pick Up the Phone’

Plaintiffs say Facebook has gained unauthorized access to data including patient status, medical appointments and medical conditions.

Facebook’s response has been that it contractually requires developers using Pixel to configure the tracking code on websites so that sensitive user data – such as health information – is not transmitted to Meta.

“Don’t send us anything you don’t have legal rights to send – and don’t send us health information; we don’t want it,” is how Meta instructs Pixel users, Goldberg said.

Facebook users can set up their individual accounts so that their “off-Facebook” activity is not tracked for advertising purposes, she said.

Orrick asked Goldberg what a Facebook user can do when the issue is not a preference over receiving targeted ads, but rather concerns about the transmission of their health-related information to Meta. “What can a consumer do to stop that?” he asked.

“Most providers won’t send this information to Meta,” she replied. “Users can disconnect their off-Facebook activity or users can pick up the telephone instead of using portals” to communicate with their healthcare providers, she said.

Plaintiffs’ attorney Jason Barnes of the law firm Simmons Hanly Conroy argued that when Meta Pixel is used on healthcare entities’ websites and patient portals, the tracking code collects and transmits to Meta the “content” of patient communications with their medical providers, including the names of buttons they clicked on the website, as well as their associated URLs.

Orrick said he “looks forward to getting a declaration within the next two weeks,” and added that “motions to dismiss are also coming up.”

Source