Meta may have scooped up sensitive medical information without consent. The Verge reports that two proposed class-action lawsuits accuse the company and hospitals of violating HIPAA, the California Invasion of Privacy Act and other laws by collecting patient data without consent. Meta's Pixel analytic tracking tool allegedly sent health statuses, appointment details and other data to Facebook when it was present on patient portals.
In one lawsuit from last month, a patient said Pixel gathered data from the UC San Francisco and Dignity Health portals that was used to deliver ads related to heart and knee issues. The second lawsuit, from June, is broader and claims at least 664 providers shared medical info with Facebook through Pixel.
We've asked Meta for comment. The company requires that sites using Pixel obtain the right to share data before sending it to Facebook, but the plaintiffs claim Meta refused to enforce its policies. It placed Pixel on the facilities' websites despite knowing the kind of data it would collect, according to the lawsuits.
The lawsuits aren't guaranteed to achieve class-action status, and such lawsuits rarely provide large payouts to individuals. If successful, though, the legal action could prove costly for Meta. They're asking for damages on behalf of all Facebook users whose healthcare providers rely on Pixel, and that could include millions of people.
They also follow a string of privacy-related US legal action against the social media giant. Meta is facing a DC Attorney General suit over Cambridge Analytica's collection of more than 70 million Americans' personal data. The company is also grappling with lawsuits over its deactivated facial recognition system, and only this year settled a 2012 class-action over the use of tracking cookies. These latest courtroom battles suggest that concerns about Meta's data gathering practices are far from over, even as the company makes its own efforts to crack down on misuse.