Advocate Aurora Health and WakeMed Face Lawsuits Because of Meta Pixel Privacy Breaches

by

Advocate Aurora Health and WakeMed Health and Hospitals are facing two class action lawsuits. Patients who had their protected health information (PHI) impermissibly disclosed to Meta/Facebook due to the usage of the Meta Pixel JavaScript code snippet on the healthcare providers’ websites and web apps filed the lawsuits. According to Advocate Aurora Health, the PHI of as many as 3 million patients was potentially exposed to Meta/Facebook. On the other hand, WakeMed stated about 495,000 patients were impacted because of adding the code on the MyChart patient website and its appointment booking page. The two healthcare companies have confessed to an impermissible disclosure of PHI however stated upon issuing notifications, there’s no report of any instances of patient data misuse and that there are no hints that Meta or Facebook employees accessed the transmitted information.

The lawsuit Advocate Aurora Health vs Meta was filed in the U.S. District Court for the Northern District of Illinois. The lead plaintiff is Alistair Stewart of Illinois. The lawsuit seeks class-action status, damages, injunctive relief, and other just compensation. The lawsuit alleges that when a user accesses the website and applications of Advocate Health, such as its LiveWell site, the transmission of and usage of personally identifiable patient data and PHI is triggered without the knowledge, permission, or agreement of patients. The lawsuit claims Advocate Aurora Health and Meta knew about the data transmission, which violates the HIPAA Rules. This was confirmed by the working of Pixel, such as showing targeted ads by Advocate’s LiveWell portal to its digital subscribers. The type of ads shown depends on the products the digital subscribers had formerly accessed on the site, including selected medical exams or treatments, for which Advocate got financial payment.

Advocate Aurora Health claims that the purpose of the tracking code was to enhance the user experience throughout its websites, and to encourage users to schedule their required preventive care. Advocate also said it has discontinued using the code and applied extra safety measures and third-party code-testing methods to avoid comparable breaches later on.

Attorneys Gary Jackson and Tom Wilmoth filed the lawsuit against WakeMed in the Wake County Superior Court in North Carolina. The case also wants class-action status, injunctive relief, and damages. The lawsuit similarly alleges that WakeMed knew that adding the code to the website would share sensitive patient information with Meta and that WakeMed got financial rewards from sharing patient data with Meta. The lawsuit claims WakeMed violated FTC Regulations and HIPAA, since sensitive healthcare information, which includes PHI, was disclosed to Meta without the awareness or permission of the plaintiff and class members.

The lawsuit claims the plaintiff sensibly anticipated her online communications with WakeMed to be private and won’t be disclosed to or seized by a third party, and that permission to share her information wasn’t requested or acquired. The lawsuit charges negligence for not implementing appropriate safety measures to avoid impermissible PHI disclosures, not giving enough training to employees, and not following industry-required information security procedures.

To ensure the success of healthcare data breach lawsuits, a true injury should have been suffered. Unlike data breach lawsuits faced by healthcare companies that were hacked, the plaintiffs’ PHI isn’t in the possession of cybercriminals and there was injury due to fraud or identity theft. The lawsuits assert an injury was experienced by means of the reduction in the value of the plaintiffs’ and class members’ private data. The plaintiff in the WakeMed lawsuit asserts that she lost time and suffered irritation, interference, and trouble, which has resulted in her struggling with anxiety, emotional stress, and greater concerns regarding her loss of privacy.

Numerous healthcare companies used the Meta Pixel code on their web pages. The Markup conducted research that showed 33 of the 100 top hospitals in America utilized the code, a number of which included Meta Pixel on their patient portals. In August 2022, Novant Health reported that the PHI of as much as 1.36 million individuals was possibly shared with Meta/Facebook, and several other healthcare companies are envisioned to make similar notices in the upcoming weeks. Lawsuits were already submitted against Dignity Health Medical Foundation and UCSF Medical Center, Medstar Health System in Maryland, and Northwestern Memorial Hospital in Chicago, because of using the tracking code on their web pages.

Elizabeth Hernandez

Elizabeth Hernandez is the editor of HIPAA News section of HIPAA Coach and an experienced journalist in the healthcare sector. She specializes in healthcare and HIPAA compliance, making her a go-to source for information on healthcare regulations. Her work focuses on the importance of patient privacy and secure information handling. Elizabeth also has a postgraduate degree in journalism. Follow on Twitter: You can follow Elizabeth on twitter at https://twitter.com/ElizabethHzone