Export Compliance Daily is a Warren News publication.
'Egregious Breach'

Meta Encourages Healthcare Partners to Upload Patient Lists: Class Action

Meta uses identifiers to match health data it collects with Facebook users and encourages healthcare partners to upload patient lists for ad targeting, alleged Tuesday's consolidated class action against the company in U.S. District Court for Northern California in San Francisco (docket 3:22-cv-03580).

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

Last month, U.S. District Judge William Orrick granted a motion to relate an eighth case to the consolidated class action against the company, and Meta asked Orrick to add two additional cases with similar causes of action (see 2302010034.

The five “Jane” and “John Doe” plaintiffs in the consolidated complaint are Facebook users who allege Meta acquires their confidential information via the Meta Pixel in violation of federal and state laws. The plaintiffs, residents of Maryland, Wisconsin, North Carolina, Ohio and Missouri, used their providers’ websites, including patient portals; three of the providers used the MyChart portal.

Meta Pixel is customizable, and web developers and advertisers can choose the actions the tool tracks and measures, said the complaint. If the code is installed as recommended, patients’ actions on the website are “contemporaneously redirected to Meta,” it said. When a patient “logs into or out of, a ‘secure’ patient portal, Meta’s source code commands the patient’s computing device” to send the communication to Meta “while the patient is communicating with her health care provider.” Meta Pixel “allows Facebook to be a silent third-party watching whatever you’re doing,” it said, citing a 2020 USA Today article.

Pixel tracks communications a patient exchanges about providers and specialists, conditions and treatments, and information exchanged with health insurance companies, pharmacies and prescription drug companies, the complaint said, saying Meta’s conduct is “an egregious breach of social norms.”

Meta’s data and privacy policy, which Facebook users must agree to in exchange for using the free social media service, “does not include any category for information collected from Facebook users’ health care providers, health insurers, pharmacies, or other covered entities” under the Code of Federal Regulations, the complaint said.

The complaint referenced a December Department of Health and Human Services bulletin saying there's no Health Insurance Portability and Accountability Act exception for marketing on the internet. “Health care providers violate HIPAA when they use tracking technologies that disclose an individual’s identifying information (like an IP address) even if no treatment information is included and even if the individual does not have a relationship with the health care provider,” said the complaint.

The complaint claims breach of contract, violation of the Electronic Communications Privacy Act, intrusion upon seclusion, negligence, trespass to chattel, unjust enrichment and violation of several California laws, including the Invasion of Privacy Act, Unfair Competition Law, Consumer Legal Remedies Act, and Comprehensive Computer Data Access and Fraud Act.

Plaintiffs seek compensatory, statutory and punitive damages, injunctive relief, restitution and disgorgement of Meta’s profits from its “unlawful and unfair business practices,” attorneys’ costs and fees, plus prejudgment and post-judgment interest.