The class action lawsuits filed by Herman Herman & Katz allege Meta Pixel code potentially analyzed, gathered and shared the sensitive medical data of hundreds of thousands of patients across the LCMC Health Systems and Willis-Knighton Health System networks.
WHY IT MATTERS
Pixel technology uses a Java tracking script to send an organization’s data to the technology owner, which in this case, is Meta, owner of Facebook, Instagram and WhatsApp. Tracked data could be shared with network marketing partners who target individuals with offers and advertisements.
The new class action lawsuit alleges that visitors to the health system websites may have had their protected health information – medical conditions, prescriptions, doctors’ names and previous appointments – sent to Facebook when they scheduled appointments online or through patient apps.
“In one case, for example, a woman received targeted ads about heart disease and joint pain shortly after entering her information into one of the hospital websites,” the firm said in the announcement.
Louisiana law generally prohibits the sharing of personal health information with a third party without patient consent, the trial lawyers say.
Beyond stopping the practice, the legal team will also seek that any profit that the hospitals may have made from selling the data be paid to the victims, said Stephen Herman, partner at Herman Herman & Katz, in a video linked to the announcement.
LCMC Health Systems is a network of New Orleans-area hospitals and medical facilities, including Children’s Hospital, East Jefferson General Hospital, New Orleans East Hospital, Touro, University Medical Center New Orleans and West Jefferson Medical Center.
Willis-Knighton Health System is the largest healthcare provider in northwest Louisiana and includes Willis-Knighton Medical Center, Willis-Knighton South & the Center for Women’s Health, WK Bossier Health Center, WK Pierremont Health Center and WK Rehabilitation Institute.
THE LARGER TREND
Multiple class action lawsuits involving alleged breaches of protected health information by pixel tracking technologies have been filed since 2022 with several major U.S. health systems either named as co-defendants or facing lawsuits themselves.
Several health systems, including Advocate Aurora Health, have posted data breach notices when they learned that pixels, or similar online tracking technologies, had been installed on patient portals, websites and patient apps.
In October, Advocate Aurora said as many as 3 million patients in Illinois and Wisconsin might have been affected when pixels transmitted certain patient information to third-party vendors. The health system said it disabled or removed the pixels from its platforms.
“What makes this situation especially complex and troubling is that the healthcare organizations themselves may not have been aware that the Meta Pixel Tool had been embedded in its website and/or that it was tracking, comparing and receiving data about patients, including PHI,” according to Andrew Mahler, a former investigator with HHS Office for Civil Rights and now VP of privacy and compliance at CynergisTek.
“This underscores the importance of performing thorough risk analyses, proper training and education, as well as independent third-party reviews of policies, processes and systems to highlight potential gaps and risks,” he told Healthcare IT News.
In December, the U.S. Department of Health and Human Services issued guidance on the use of online tracking tools in healthcare customer relationship management programs.
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules,” the agency said.
Meta has since been fined 390 million euros, or more than $414 million, by European Union regulators in a major decision on alleged violations of the EU’s General Data Protection Regulation.
ON THE RECORD
“We are learning more and more about this shocking breach of trust as our investigation continues,” said Herman in the statement.
“This was a gross invasion of privacy that we believe went on for years.”
Andrea Fox is senior editor of Healthcare IT News.
Healthcare IT News is a HIMSS Media publication.