A lawsuit has been filed against Cedars-Sinai Medical Center alleging impermissible disclosures of patient data to Google, Meta, and other third parties due to the use of website tracking technologies without either a business associate agreement with the code providers or authorizations from patients. In the summer of 2022, an investigation into the use of these technologies revealed almost one-third of the top 100 hospitals in the United States had used pixels and other tracking code on their websites that were capable of collecting and transmitting sensitive data to the providers of that code. The Cedars-Sinai lawsuit is one of dozens filed against healthcare providers and other health-related companies in the past year over the use of tracking technologies on websites and mobile apps without user consent.
The widespread use of tracking technologies prompted the HHS’ Office for Civil Rights to issue guidance in December 2022 on the use of these technologies. The guidance confirmed that any tracking technologies that are capable of touching information protected by HIPAA can only be used if a valid, HIPAA-compliant business associate agreement is obtained from the provider of the code or if patient consent is obtained to share HIPAA-protected data.
The Cedars-Sinai Medical Center lawsuit was initially filed in California state court on December 30, 2022, but was moved to the U.S. District Court for Central California in Los Angeles on February 3, 2023. The lawsuit – John Doe v. Cedars-Sinai Health System and Cedars-Sinai Medical Center – alleges invasion of privacy, intrusion upon seclusion, negligence, breach of implied contract, breach of contract, and violations of the California Invasion of Privacy Act, California Confidentiality of Medical Information Act, and California Unfair Competition Law.
The lawsuit alleges the sensitive personal and health information of the plaintiff and other Cedars-Sinai patients was impermissibly disclosed to Google, Meta, and Microsoft Bing due to the use of tracking code on its website. The lawsuit states that Cedars-Sinai encourages patients to visit its website to research medical symptoms and health issues, identify doctors that can treat their specific health problems, and make appointments online. Doing so requires patients to disclose their symptoms and communicate highly sensitive medical information, which the plaintiff did in the belief that privacy was assured.
The tracking technologies added to the website recorded individually identifiable information based on user interactions and transmitted that information to unrelated companies, including Meta/Facebook, Google, Microsoft Bing, and social media platforms or businesses. According to the lawsuit, “this code served as real time wiretaps on patients’ communications,” and allowed marketing companies to use patients’ private information to target them with advertising related to their medical conditions, yet consent to collect and use private information for that purpose was not obtained, and patients were not informed about those uses and disclosures. The plaintiff is a Facebook user that has the ‘Keep Me Logged In’ feature of his Facebook account activated. He noticed an increase in health-related adverts since visiting the Cedars-Sinai website for further information on his medical condition. Some of the adverts he was served were specific to the medical condition he researched on the Cedars-Sinai website.
The lawsuit takes aim at Cedars-Sinai, not the providers of pixels and code, which explain in their terms and conditions that uses of the code in connection with health data is not permitted. For example, Google prohibits the use of Google Analytics code on the websites of HIPAA-covered entities and their business associates for any manner or purpose involving protected health information. The lawsuit claims that the inclusion of the tracking code has violated the privacy of patients and also constitutes a violation of the HIPAA Rules. The lawsuit seeks class action certification, a jury trial, compensatory and punitive damages, and injunctive relief.
The post Cedars-Sinai Medical Center Sued for Website Tracking Technology Privacy Violations appeared first on HIPAA Journal.