Export Compliance Daily is a Warren News publication.
'Invasion of Privacy'

Healthcare Firm 'Planted a Bug' on Patient's Web Browser, Says Complaint

By installing the Facebook Pixel code on its website, healthcare company Aspirus “effectively planted a bug” on plaintiff “John Doe’s” web browsers and forced him and other class members to “unknowingly disclose their private, sensitive and confidential health-related communications” with Aspirus to Facebook, alleged a Friday class action (docket 3:23-cv-00171) in U.S. District Court for Western Wisconsin in Madison.

Sign up for a free preview to unlock the rest of this article

Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.

The eight-count class action alleges invasion of privacy, unjust enrichment, breach of confidence, violation of confidentiality of patient health care records, several violations of the Electronic Communications Privacy Act and violation of the Computer Fraud and Abuse Act.

The complaint cited a Department of Health and Human Services bulletin saying the unlawful transmission of protected personal health information via tracking technology breaches the privacy rule of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

In addition to Facebook Pixel, Aspirus installed and implemented Facebook’s Conversions application programming interface (CAPI) on its web servers, said the complaint. Unlike the Facebook Pixel, which “coopts a website user’s browser and forces it to transmit information to Facebook in addition to the website owner,” CAPI tracks the user’s website interaction, including private information, records and stores that information on the website owner’s servers, and then transmits the data to Facebook from the website owner’s servers, the complaint said.

Because CAPI is on Aspirus’ servers “and is not a bug planted on to the website user’s browser,” it allows the company to “circumvent any ad blockers or other denials of consent” by users “that would prevent the Pixel from sending website users’ Private Information to Facebook directly,” it alleged. Aspirus used Pixel and CAPI data for marketing to bolster profits, putting profit above patient’s privacy rights, it said.

The information John Doe, a Crandon, Wisconsin, resident, submitted to the Aspirus website included type of treatment sought, his health condition and attempts to make medical appointments, which Facebook could sell to third-party marketers who then could “geo-target” his Facebook pages based on communications obtained by the Pixel and CAPI, the complaint said.

Facebook and third-party purchasers of plaintiff’s private information “could reasonably infer from the data that a specific patient was being treated for a specific type of medical condition, such as cancer, pregnancy, dementia or HIV,” said the complaint. The plaintiff and class members didn’t sign a written authorization for Aspirus to send their private information to Facebook, it said.

John Doe seeks an injunction barring Aspirus from misusing or disclosing his private information and relief compelling the company to use appropriate methods for consumer data collection, storage and safety, plus disclosing the specific type of personal information disclosed to third parties. He also seeks restitution and disgorgement of revenue wrongfully retained; an award of actual, compensatory and statutory damages and penalties; and attorneys’ fees and legal costs.