Meta Collection of HIPAA-Protected Information Class Action

Meta Platforms, Inc. has been under repeated investigation for its data-mining practices and its use of the private information of consumers without their consent or even their knowledge. This class action takes issue with a particular instance of this intrusion, that is, Meta’s alleged collection of information from communications between patients and medical providers—information that the complaint claims is protected health information (PHI).

A class and two subclasses have been defined for this action:

• The Nationwide Class is all persons who are current or former patients of a medical provider in the US with web properties through which Meta acquired patient activity relating to medical provider websites or patient portals, appointments, phone calls, and communications associated with patient portal users, for which neither the medical provider nor Meta obtained a Health Insurance Portability and Accountability Act (HIPAA) consent, or any other valid consent, for sharing, gathering, or use of information subject to the HIPAA Privacy Rule.
• The North Carolina Subclass is all those in the above class who live in North Carolina.
• The Meta Social Media Platform Subclass is all users of Meta’s social media platforms who are current or former patients of any medical provider in the US with web properties through which Facebook acquired patient activity relating to medical provider websites or patient portals, appointments, phone calls, and communications associated with patient portal users, for which neither the medical provider nor Meta obtained a HIPAA consent or any other valid consent, for the sharing, gathering, or use of information subject to the HIPAA Privacy Rule.

One of the ways Meta collects data is through the Meta Pixel, a bit of code that can be installed on websites to monitor activity. This information can be used to help the website owner improve the website’s performance, the complaint alleges, or to determine whether advertising is effective.

But the complaint alleges that Meta also uses it “to track the online actions of individuals, including shopping trends and purchase history, search and other browser information, and what websites an individual visits” and so on. Meta makes most of its income from advertising, and the information collected helps it sell its targeted advertising options.

According to the complaint, at patient portals on website, Meta gathers “even more information—appointment information, treating provider information, and potentially even diagnoses-related information from text box entries.” This information, the complaint alleges, includes PHI on specific individuals that is protected under HIPAA’s Privacy Rule.

The complaint alleges that Meta gathers this information without proper authorization and uses it for its own gain.

For example, the complaint alleges that one of the plaintiffs in this case has “an uncommon health diagnosis” for which he received treatment at Novant Health. It claims that, through the installation of the Meta Pixel on Novant’s patient portal, Meta gathered information on his diagnosis, so that targeted advertising relating to his diagnosis appeared in his Facebook newsfeed, for Meta’s profit and without his knowledge or consent.

Article Type: Lawsuit
Topic: Privacy
Tags: HIPAA, Invasion of Privacy, Sharing Medical Information Without Consent, Using Your Private Information Without Consent, Your Privacy, wiretapping