Meta Platforms (formerly known as Facebook, Inc.), the University of California San Francisco (UCSF) Medical Center, and Dignity Health Medical Foundation are being targeted by a class action lawsuit centered on an anonymous patient whose lawyers allege her private medical information was unlawfully taken from her and used for profit.
The "Defendants' action constitute an extreme invasion of Plaintiff and Class members' right to privacy and violate federal and state statutory and common law," her attorneys .
This case is part of a larger issue around data sharing and private medical information that's become an increasing concern for patients and doctors alike.
The plaintiff, known as Jane Doe in the lawsuit, began receiving emails and seeing targeted ads on Facebook related to her medical conditions after she had scheduled appointments and contacted doctors using UCSF's and Dignity's patient portals. What she didn't know was that they had a piece of software called "Meta Pixel" tucked into their code.
Meta Pixel, as Meta describes it to potential users, is a "snippet of JavaScript code that allows you to track visitor activity on your website." UCSF Health does note in their that they gather personal medical information about its users for a number of reasons, including to send "product and service information" and to "improve the UCSF Health website user experience," though the statement also says that the health system won't share personal information "without your consent other than as required by laws."
UCSF Health's policy also acknowledges that they "may" use third parties including "Facebook Pixel" to collect information from the website, noting that "these companies collect information from across the internet and are not controlled or managed by UCSF."
The only way to opt out of this data collection is to go to Facebook's website and change the privacy settings.
Moreover, these policies only apply to the consumer-facing website, which is separate from the patient portal, MyChart, where more private data are stored, like health records, test results, and diagnoses. MyChart's privacy policy states that "the information you provide on this web site is protected by federal laws," but otherwise directs patients to customer service for more information.
According to the complaint, "when Plaintiff Doe logged into Healthcare Defendants' patient portal, there was no indication that Meta Pixel was embedded or that it would collect her sensitive medical information."
Meta has implied that they draw the line at accepting sensitive medical information from those that use their tool -- and that this kind of data sharing goes against their own policies.
A Meta spokesperson sent 鶹ý links to its Meta Pixel policies in an email. According to on "Restricted Meta Business Tools Data" (Meta Pixel is one of their "business tools"), "advertisers should not share Business Tools Data with Meta that they know or reasonably should know is either from or about children under the age of 13, or includes health or financial information, or other categories of sensitive information."
They define "sensitive health information" on , which includes information on diseases, medical conditions, and injuries -- exactly what the lawsuit claims they did indeed access and use to send Doe ads on Facebook.
However, Meta's policies specify that they can gather personal contact information from these sites and then match it with "Meta user accounts" -- meaning whatever information Meta does gather can be used to then find the user's Facebook account and tailor Facebook ads specifically to that user.
The lawsuit argues that Meta is violating its own policies, which "were not enforced or entirely ineffective." They quote from Meta in 2021 in which a Meta engineer acknowledged that "we do not have adequate level of control and explainability over how our systems use data."
The ads the patient received after she used the portals to receive test results and diagnoses for her heart and knee conditions were specific enough to be from the patient portal itself: one from "Dr. Livingood" referenced "your heart condition." Another for the "UpWellness Shop" announced "30-Sec. Joint Pain Trick 'Greases' Bone-on-Bone Knee Pain." Emailed ads crept into her inbox, including one about treatments for cardiovascular disease.
"She has received so many of the targeted emails that she created a new email account separate from the one associated with her Facebook account to avoid the advertisements," Melissa Nafash, JD, of Labaton Sucharow, one of the firms representing Doe, wrote in an email to 鶹ý. "This is an overwhelming invasion of Plaintiff Doe's privacy and we look forward to representing her and the putative class in this important case."
The lawsuit also argues that none of the defendants had a right to collect or use, let alone share, sensitive medical information that's protected by various California laws and HIPAA, which they say "does not permit the use and disclosure of protected health information to Meta for use in targeted advertising."
A spokesperson for UCSF told 鶹ý in an email that they can't comment on pending litigation. Dignity Health Medical Foundation did not respond to requests for comment in time for publication.