Two Louisiana health are being sued over the use of pixels on their websites, which allegedly captured and impermissibly disclose patient data to third parties such as Facebook and Instagram. New Orleans-based LCMC Health System operates 9 hospitals in Southern Louisiana and Shreveport-based Willis-Knighton Health System operates 5 hospitals in Northwestern Louisiana. Both health systems are named as defendants in a lawsuit recently filed by law firm Herman Herman & Katz on behalf of plaintiff John Doe, and similarly situated individuals.
The lawsuit alleges the health systems added Metal Pixel code to their websites, which allows the sensitive personal and protected health information of website users to be captured. The code is typically used for tracking user activity on websites to improve website performance and the user experience; however, the tracking code also transmits data to Meta and that information is potentially made available to third parties for advertising purposes on its Facebook and Instagram social media platforms.
The Department of Health and Human Services’ Office for Civil Rights (OCR) recently confirmed that the use of tracking technologies on websites without a business associate agreement or patient authorization violates HIPAA. Many health systems have used Metal Pixel code and other tracking technologies on their websites and web apps, some of which have since reported the impermissible disclosures to OCR, as required under the HIPAA Breach Notification Rule. At the time of writing, neither health system has reported such a breach to OCR.
The lawsuit alleges the health systems failed to obtain authorization from website users before adding the code, and that the privacy violation has most likely persisted for several years. The lawsuit claims the code transmitted the sensitive data of hundreds of thousands of individuals without the knowledge of website users and that the information may have been used to serve targeted advertisements related to the medical conditions disclosed via the websites, such as when entering information to schedule appointments.
While OCR has confirmed that such disclosures are HIPAA violations, there is no private cause of action in HIPAA, so patients cannot sue for HIPAA violations. The lawsuit does not reference HIPAA, instead says the disclosures violate Louisiana law, which generally prohibits the sharing of personal health information with third parties without consent. The lawsuit claims the use of these technologies without consent is a gross violation of privacy and calls for the health systems to stop using the tracking technologies, for any profit from the transfer of data to be paid to victims, and for an award of damages. Both health systems have confirmed they are aware of the lawsuit, plan to vigorously defend against the plaintiffs’ claims, and confirmed they are deeply committed to protecting patient privacy.
The post Louisiana Health Systems Sued for Pixel-Related Disclosures of Patient Information appeared first on HIPAA Journal.