Governance & Risk Management
,
Healthcare
,
Industry Specific
Litigation Alleges the Web Tracker Scraped Sensitive Patient Information
A federal judge has again given the green light for a proposed consolidated class action lawsuit against Meta to proceed. The litigation claims the firm unlawfully collected patient data from the websites of hospitals and other providers through the use of its Pixel tracking tool.
See Also: Live Webinar | Securing the Cloud: Mitigating Vulnerabilities for Government
In a ruling issued Monday, District Judge William Orrick of the U.S. District Court for the Northern District of California denied Meta’s motion to dismiss the case, except for claims under the California Legal Remedies Act that the plaintiffs voluntary withdrew from their lawsuit. The California Legal Remedies Act protects consumers from competition and unfair or deceptive acts.
This is the second time Orrick has denied Meta’s attempt to shelve the litigation, which was filed in June 2022 and consolidates about a dozen similar proposed class action lawsuits against the tech company (see: Judge Again Says Meta Pixel Privacy Case Dismissal Unlikely).
In a ruling last September, Orrick granted Meta’s motion to dismiss several of the plaintiffs’ original claims, including negligence per se and allegations of various privacy law violations.
In that earlier ruling, however, the judge allowed the case to move forward on other claims, including one that alleges Meta violated state and federal wiretap allegations by intentionally intercepting the contents of plaintiffs’ electronic communications using a device (see: Judge Gives Green Light to Meta Pixel Web Tracker Lawsuit).
In his ruling last fall, Orrick also allowed plaintiffs to file an amended complaint to strengthen certain privacy assertions, including describing the types or categories of sensitive health information they gave to their healthcare providers that they believe Meta collected without their consent.
The plaintiffs took up the judge’s offer for an opportunity to file an amended complaint within 20 days of that September ruling.
Strengthen Privacy Allegations?
Meta in its latest motion to dismiss the lawsuit’s privacy claims, among other assertions, argued that the plaintiffs allege only information “about their browsing through websites providing healthcare information to the public at large” had been received by Meta, based on the URLs provided in the plaintiffs’ amended complaint.
But in his ruling on Monday, Orrick disagreed with Meta’s argument that the plaintiffs’ amended complaint did not strengthen their privacy allegations.
“For the most part, plaintiffs identify the health conditions for which they sought treatment or services, as well as examples of their queries, appointment requests, or other information and services about which they communicated with their providers,” Orrick wrote.
Meta argued that the disclosures do not violate patient privacy-based claims. The judge held that the “allegations suffice at this juncture because they identify generally the types of sensitive information plaintiffs shared with their healthcare providers that was plausibly collected by Meta.”
Meta also argued that the communications between patients and providers were made on public websites, but Orrick responded, “That fact is not irrelevant to the question of whether plaintiffs will ultimately be able to prove an invasion of privacy when considering the totality of the circumstances, but at this juncture and given that plaintiffs were communicating with their healthcare providers about their healthcare needs, plaintiffs have alleged enough for this claim to proceed to discovery.”
Orrick also rejected Meta’s argument to dismiss the lawsuit’s claims pertaining to the Comprehensive Computer Data Access and Fraud Act – or the state’s anti-hacking statute – and various other state law violation allegations.
They include plaintiffs’ claims in the amended complaint that Meta has altered plaintiffs’ devices by “usurping their normal operation” through “surreptitiously placing a cookie on them,” causing the computers to redirect plaintiffs’ data to Meta, Orrick wrote.
“Plaintiffs allege that the Pixel records and transmits information to Meta. They say that Meta designed the Pixel to log and track website visitors’ actions, that Meta disguises the Pixel as a first-party cookie to allow it to be placed on website visitors’ devices and avoid detection, and that the Pixel usurps the normal operation of website visitors’ devices,” he wrote.
“These are sufficient to allege that the Pixel, as Meta puts it, transmits information without permission in violation [of California’s anti-hacking statutes]. Whether that was Meta’s intent or whether Meta’s intent was not to secure sensitive tracking information without consent should be tested on an evidentiary basis.”
“I conclude that plaintiffs’ allegations regarding the operation and impacts of the [Meta] cookie are sufficient at this juncture. If Meta is right that, after discovery, all plaintiffs can point to is the mere copying of data and no alteration to plaintiffs’ data or devices, then Meta may re-raise its ‘mere use is not sufficient’ argument,” Orrick wrote.
A jury trial for the case is set for Dec. 1, 2025.
Neither an attorney representing Meta nor a lawyer representing plaintiffs in the case immediately responded to Information Security Media Group’s requests for comment on Orrick’s ruling.
Growing Controversies
Privacy concerns over the use of web trackers to collect individuals’ sensitive health and other data – including location information – and share it with third-parties continue to grow.
Besides Meta’s litigation, several U.S. healthcare organizations are facing similar proposed class action lawsuits involving privacy concerns over their current or previous use of online trackers on their websites and patient portals.
Earlier this month, North Carolina-based healthcare system Novant Health agreed to pay $6.6 million to settle a consolidated class action lawsuit involving its use of tracking tools on its websites and patient portals (see: NC Health System Agrees to Pay $6.6M in Web Tracking Case).
Federal and state regulators are also intensely scrutinizing the use of web trackers in health-related websites.
In December, NewYork-Presbyterian Hospital agreed to pay a $300,000 fine and take corrective actions under a settlement with the New York state attorney general’s office involving the academic medical center’s previous use of tracking tools in its websites and patient portal (see: State AG Hits Hospital With $300K Fine for Web Tracker Use).
The U.S. Federal Trade Commission and the Department of Health and Human Services last July jointly sent letters to 130 hospitals and telehealth providers warning of potential data privacy and security violations involving the use of online tracking technologies (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
But the American Hospital Association and three other organizations last November filed a federal lawsuit seeking to have HHS withdraw guidance warning that the use of online trackers by hospitals potentially violates HIPAA (see: AHA Sues Feds Over Privacy Warning About Web Tracker Use).
HHS on Jan. 26 filed a consent motion in that litigation, asking a Texas federal court to extend a series of scheduled deadlines in the case, including parties’ cross-motions for summary judgement, “to enable the parties to discuss a potential resolution of the matter without the need for further briefing or intervention of the court.”
The U.S. District Court for the Northern District of Texas yesterday granted HHS’ motion to extend several briefing deadlines in that case by about one month, through mid-April.
An attorney not involved in that case told ISMG the discussions between HHS and AHA appear to be related to discussions pertaining to a possible settlement of the lawsuit.