Earlier this month, a lawsuit was filed against The Christ Hospital in Cincinnati, OH, alleging third-party tracking code had been added to its website that was transmitting sensitive patient data to Meta and other third parties, without obtaining authorization from patients.
An investigation by The Markup last summer revealed one-third of the top 100 hospitals in the United States had Meta pixel tracking code on their websites, several of which were confirmed as having added the code to their password-protected patient portals. In some instances, the code was transmitting patient data to Meta, such as if website visitors were logged into their Facebook accounts while browsing the hospital websites. Tracking code is also provided by others, such as Google, which can similarly transmit data based on the interactions of users on websites.
Following the investigation, several healthcare organizations announced data breaches related to tracking technologies that have resulted in the impermissible disclosure of patient information. The HHS’ Office for Civil Rights recently issued guidance on the use of tracking technologies on hospital websites, confirming that these technologies have the potential to violate the HIPAA Rules, and the use of these technologies without patient authorizations or a business associate agreement is likely to be a reportable data breach. The Christ Hospital does not appear to have announced any such breach to date.
The lawsuit – Doe v. The Christ Hospital – was filed on January 10, 2023, by attorney James Eugene Burke III in Hamilton County Court but has since been moved to federal court. According to the lawsuit, The Christ Hospital website has a search engine that patients are encouraged to use to find physicians within its network, and patients can schedule appointments with those physicians online. The hospital website allegedly includes Meta Pixel and other third-party code, which collects information about the activities of website users and transmits that information to Meta and others, with the information potentially used to serve patients with targeted adverts on Facebook and other Meta platforms.
The lawsuit alleges patients who searched for cancer transmits, mental health care, and even sexually transmitted infections could be targeted with adverts related to their searches on the site. The lawsuit also alleges third party code was included on the MyChart patient portal, which could potentially transmit communications with physicians to third parties without patient authorization, in violation of the HIPAA Rules.
The lawsuit names Jane Doe as plaintiff and seeks class action status to cover all similarly affected patients. The lawsuit seeks a jury trial, punitive charges, and damages in excess of $25,000. The Christ Hospital maintains it is not selling patient data to Meta or other third parties and is investigating the claims made in the lawsuit.
The post Lawsuit Alleges Christ Hospital Website Has Sent Patient Data to Meta appeared first on HIPAA Journal.