Governance & Risk Management
,
HIPAA/HITECH
,
Privacy
Latest in a String of Similar Proposed Class Actions Against Other Firms
The University of Iowa Health Care is facing a proposed class action lawsuit from a patient who alleges that online tracking tools embedded into the medical center’s websites secretly transmitted sensitive personal and health information to Facebook.
See Also: Live Webinar | Education Cybersecurity Best Practices: Devices, Ransomware, Budgets and Resources
The claim is the latest in a string of legal actions against other healthcare centers that pasted Facebook Pixel and similar online behavior tracking code into their patient portals.
The complaint alleges that the Iowa medical center “purposely and intentionally” installed the pixel and conversions application programming interface tools to “surreptitiously share its potential and current users’ private and protected communications with Facebook,” including information protected by HIPAA.
UIHC in a statement to Information Security Media Group said the allegations are unfounded. “University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook.”
Plaintiff attorney Brian Marty of Shindler, Anderson, Goplerud & Weese said, “The facts alleged in the complaint speak for themselves, as well as the dozens of other lawsuits filed across the country alleging the same or similar misconduct by healthcare providers.”
Concerns over the use of web trackers by the healthcare industry exploded in the wake of last summer’s Supreme Court decision that struck down a constitutional right to abortion embodied by the five-decade-old precedent of Roe v. Wade.
The Department of Health and Human Services has since warned that commercial web traffic trackers embedded into patient portals may violate privacy law. A growing number of healthcare companies are treating past use of trackers as a reportable data breach incident.
The department’s top HIPAA enforcer said in early April that regulators will “hopefully soon” bring an enforcement action for tracking-tool related HIPAA violations (see: HHS OCR Leader: Agency Is Cracking Down on Website Trackers).
The lawsuit against the Iowa medical center seeks damages, including punitive damages, as well as injunctive relief ordering it to not engage “in the wrongful conduct alleged in the complaint pertaining to the misuse and/or disclosure of the private information.
Facebook faces a consolidated putative class action lawsuit in the U.S. District Court for the Northern District of California alleging the social media giant violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.
A judge in December denied the plaintiff’s bid to enjoin Facebook collecting patient information from healthcare entities. The social media’s use of systems created to block the receipt of sensitive information combined with “factual uncertainties” means “it is too early to find that the public interest supports a mandatory injunction,” wrote U.S. District Judge William Orrick.