Medical records are supposed to be confidential but Facebook's parent company, Meta, has allegedly been tracking patient data at one-third of the top 100 hospitals in the United States.
A report published by The Markup says the tracking has been carried out secretly, without patient consent and apparently without the knowledge of the hospitals.
Patient information is protected by federal law. The Health Insurance Portability and Privacy Act (HIPPA) prohibits the release of patient data without the patient's consent.
In its report, The Markup said it found that when a visitor clicks on the ‘Schedule Online’ button on a doctor’s page, Meta Pixel sent the text of the button to Meta, along with the doctor’s name and the search term, which in one of the cases studied was pregnancy termination.
In other cases, information was taken from the selection made from dropdown menus, which provided information about the patient’s condition – Alzheimer’s disease for example.
The Markup said there did not appear to be any business associate agreements between the hospitals and Meta that would allow the data sharing under the HIPAA Rules. Nor did it find any evidence of express consent from patients, suggesting potential HIPAA violations.
Class action suit filed
The allegations have already resulted in litigation. A lawsuit filed Friday in San Francisco federal court as a proposed class action on behalf of millions of patients.
"Despite knowingly receiving health-related information from medical providers, Facebook has not taken any action to enforce or validate its requirement that medical providers obtain adequate consent from patients before providing patient data to Facebook," the lawsuit stated, according to an MSN report.
The lawsuit alleges: "Facebook monetizes the information it receives through the Facebook Pixel deployed on medical providers’ web properties by using it to generate highly-profitable targeted advertising on and off Facebook."