Meta sued for collecting patients’ private health data

Featured image

Share this article

Facebook logo with a mouse cursor inside of a circle surrounded by another circle with a pair of doctors in blue scrubs looking over a clipboard, surrounded by a blue background of calculators and health insurance forms with the Paubox logo in the bottom right

Facebook’s parent company Meta is facing two class-action lawsuits for using its tracking tool to obtain sensitive medical information from patients without consent.

Keep reading to learn more about the Meta data breach and allegations. Plus, find out how HIPAA email compliance can help healthcare providers safeguard data from every angle.

Meta sued for collecting patients’ private health data

The Markup recently evaluated the websites of Newsweek’s top 100 hospitals in America, and found the Meta Pixel installed on one-third of them. The Meta Pixel is a snippet of JavaScript code that logs visitor activity on websites for marketing and advertising purposes.

The report also revealed that the tool was installed inside the password-protected patient portals of seven health systems. As a result, packets of information were sent to Facebook whenever patients scheduled an appointment. This data included protected health information (PHI) such as medical conditions, doctors’ names, and medication details.

Experts who reviewed The Markup report believe that these hospitals might have violated the Health Insurance Portability and Accountability Act (HIPAA). Under the law, covered entities are prohibited from sharing personally identifiable information (PII) with third parties unless consent was expressed or certain contracts were put into place.

Patient lawsuits 

Meta is sued for collecting patients’ private health data by two patients so far. In response to the data breach, two patients have filed lawsuits against Meta. Although Meta’s website does state that “advertisers should not share health, financial, or other categories of sensitive information with Meta,” the lawsuits claim that the company did not enforce this policy and knowingly collected sensitive medical data.

In one lawsuit, a patient says that Facebook received her private medical information through the University of California San Francisco and Dignity Health patient portals. The patient then began seeing advertisements that were specifically tailored to her heart and knee conditions.

Another lawsuit was filed by a patient at the MedStar Health System in Baltimore, Maryland. It alleges that “at least 664 healthcare providers have sent medical data to Facebook through the Meta Pixel.” The document notes that this violates not only HIPAA, but Facebook’s own user contract as well.

Preventive measures 

This data breach reinforces the importance of understanding the functions and potential risks behind third-party tools. In order to protect customer data, organizations should be regularly assessing their website content and paying close attention to new script behaviors.

It’s also smart for site designers to implement certain controls over sections that collect sensitive data. This way, unwanted capabilities like reading form fields and data exfiltration can be blocked as needed.

Additional website best practices for companies to keep top-of-mind include regularly updating all software, strengthening security through multi-factor authentication, and running vulnerability scans.

Read more: Choose your vendors wisely

HIPAA email rules and security

While analytics tools and other digital solutions may help improve patient engagement, they can also lead to HIPAA violations. In addition to always choosing HIPAA compliant third-party vendors, covered entities can go one step further to safeguard PHI with a stronger email security strategy.

Designed to integrate with your existing email platform, Paubox Email Suite enables HIPAA compliant email by default to ensure automatic compliance with HIPAA email rules. This means you don’t have to spend time deciding which emails to encrypt and your patients are able to receive your messages right in their inbox—no additional passwords or portals necessary.

Paubox Email Suite’s Plus and Premium plan levels also include robust inbound email security tools that block cyberattacks from reaching the inbox in the first place. Our patent-pending Zero Trust Email feature uses email AI to confirm that an email is legitimate. Additionally, our patented ExecProtect solution quickly intercepts display name spoofing attempts.

Try Paubox Email Suite Plus for FREE today.

HITRUST CSF certified
4.9/5.0 on the G2 Grid
Paubox secures 70 million HIPAA compliant emails every month.

Author Photo

About the author

Sara Uzer

Read more by Sara Uzer

Get started with
end-to-end protection

Bolster your organization’s security with healthcare’s most trusted HIPAA compliant email solution

The #1-rated email encryption 
and security software on G2

G2 Badge: Email Encryption Leader Fall 2022
G2 Badge: Security Best Usability Fall 2022
G2 Badge: Encryption Momentum Leader Fall 2022
G2 Badge: Security Best Relationship Fall 2022
G2 Badge: Security Users Most Likely to Recommend Fall 2022
G2 Badge: Email Gateway Best Relationship Fall 2022
G2 Badge: Email Gateway Best Meets Requirements Fall 2022
G2 Badge - Users Most Likely to Recommend Summer 2022
G2 Badge: Email Gateway Best Results Fall 2022
G2 Badge: Email Gateway Best Usability Fall 2022
G2 Badge: Email Gateway Best Support Fall 2022
G2 Badge: Email Gateway Easiest To Use Fall 2022
G2 Badge: Email Gateway Easiest Setup Fall 2022
G2 Badge: Email Gateway Easiest Admin Fall 2022
G2 Badge: Email Gateway Easiest to do Business with Fall 2022
G2 Badge: Email Gateway Highest User Adoption 2022
G2 Badge: Email Gateway High Performer Fall 2022
G2 Badge: Email Gateway Momentum Leader Fall 2022
G2 Badge: Email Gateway Most Implementable Fall 2022
G2 Badge: Email Gateway Users Most Likely to Recommend Fall 2022