Talk to sales
Start for free

Facebook’s parent company Meta is facing two class-action lawsuits for using its tracking tool to obtain sensitive medical information from patients without consent. Keep reading to learn more about the Meta data breach and allegations.

Plus, find out how HIPAA email compliance can help healthcare providers safeguard data from every angle.


Meta sued for collecting patients’ private health data


The Markup recently evaluated the websites of Newsweek’s top 100 hospitals in America, and found the Meta Pixel installed on one-third of them. The Meta Pixel is a snippet of JavaScript code that logs visitor activity on websites for marketing and advertising purposes. The report also revealed that the tool was installed inside the password-protected patient portals of seven health systems.

As a result, packets of information were sent to Facebook whenever patients scheduled an appointment. This data included protected health information (PHI) such as medical conditions, doctors’ names, and medication details. Experts who reviewed The Markup report believe that these hospitals might have violated the Health Insurance Portability and Accountability Act (HIPAA).

Under the law, covered entities are prohibited from sharing personally identifiable information (PII) with third parties unless consent was expressed or certain contracts were put into place.


Patient lawsuits 


Meta is sued for collecting patients’ private health data by two patients so far. In response to the data breach, two patients have filed lawsuits against Meta. Although Meta’s website does state that “advertisers should not share health, financial, or other categories of sensitive information with Meta,” the lawsuits claim that the company did not enforce this policy and knowingly collected sensitive medical data.

In one lawsuit, a patient says that Facebook received her private medical information through the University of California San Francisco and Dignity Health patient portals. The patient then began seeing advertisements that were specifically tailored to her heart and knee conditions.

Another lawsuit was filed by a patient at the MedStar Health System in Baltimore, Maryland. It alleges that “at least 664 healthcare providers have sent medical data to Facebook through the Meta Pixel.”

The document notes that this violates not only HIPAA, but Facebook’s own user contract as well.


Preventive measures 


This data breach reinforces the importance of understanding the functions and potential risks behind third-party tools. In order to protect customer data, organizations should be regularly assessing their website content and paying close attention to new script behaviors. It’s also smart for site designers to implement certain controls over sections that collect sensitive data. This way, unwanted capabilities like reading form fields and data exfiltration can be blocked as needed. Additional website best practices for companies to keep top-of-mind include regularly updating all software, strengthening security through multi-factor authentication, and running vulnerability scans.


Read more: Choose your vendors wisely


HIPAA email rules and security


While analytics tools and other digital solutions may help improve patient engagement, they can also lead to HIPAA violations. In addition to always choosing HIPAA compliant third-party vendors, covered entities can go one step further to safeguard PHI with a stronger HIPAA email security strategy.

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary.

Paubox Email Suite’s Plus and Premium plan levels also include robust inbound email security tools that block cyberattacks from reaching the inbox in the first place. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.


Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified 4.9/5.0 on the G2 Grid Paubox secures 70 million HIPAA compliant emails every month.

Start a 14-day free trial of Paubox Email Suite today