Want to read Slashdot from your mobile device? Point it at m.slashdot.org and keep reading!

 



Forgot your password?
typodupeerror
×
The Courts Facebook

Meta Sued For Violating Patient Privacy With Data Tracking Tool (theverge.com) 37

Facebook's parent company Meta and major US hospitals violated medical privacy laws with a tracking tool that sends health information to Facebook, two proposed class-action lawsuits allege. From a report: The lawsuits, filed in the Northern District of California in June and July, focus on the Meta Pixel tracking tool. The tool can be installed on websites to provide analytics on Facebook and Instagram ads. It also collects information about how people click around and input information into those websites.

An investigation by The Markup in early June found that 33 of the top 100 hospitals in the United States use the Meta Pixel on their websites. At seven hospitals, it was installed on password-protected patient portals. The investigation found that the tool was sending information about patient health conditions, doctor appointments, and medication allergies to Facebook.

This discussion has been archived. No new comments can be posted.

Meta Sued For Violating Patient Privacy With Data Tracking Tool

Comments Filter:
  • by Sebby ( 238625 ) on Tuesday August 02, 2022 @12:27PM (#62756294)

    fitting, isn't it?

  • As for the tracking tool being installed, this is almost surely driven by a business decision that did not receive any technical oversight at the hospital level. Or at least I surely hope that is the case.
    As to Meta/Facebook - I used VMs at one point to see what changes were made to them before and after logging in the first time with a brand new account.

    I was not pleased with my findings.

    • by techno-vampire ( 666512 ) on Tuesday August 02, 2022 @01:05PM (#62756394) Homepage
      Not only didn't it receive any technical oversight, they didn't run it past Legal to have due diligence done. I hope that each and every one of those hospitals is added to the class action suit and taken to the cleaners.
    • by rgmoore ( 133276 )

      I work in a hospital but not in anything patient related- I'm actually in research and tend to avoid anything clinical- but we still get HIPAA drilled into us. We're regularly reminded about the importance of not letting patient information get into the wrong hands. I find it incredibly hard to believe the hospital OKed letting this stuff going to Meta.

  • by sdinfoserv ( 1793266 ) on Tuesday August 02, 2022 @12:45PM (#62756348)
    This is a blatant HIPAA violation. It demonstrates FB’s complete lack of regard for existing laws and basic security (yours that is). This is the face of unrepentant greed, profit at any cost, sell your mother for buck.. aka neoliberal capitalism. We’ll see what happens, but my guess is nothing. Our only recourse is to drop FB. Don’t use their apps or hand your private life to these carpet baggers.
    • HIPAA violations are pretty serious. People go to jail for that. There's more than money at stake here.
      • by RKThoadan ( 89437 ) on Tuesday August 02, 2022 @01:14PM (#62756422)

        While HIPAA definitely has teeth, I'll be surprised if Meta is considered a covered entity according to the law. The hospitals are likely in way more trouble than Meta is. I agree they should be held accountable, but Meta really is just as guilty here.

        • by LeeLynx ( 6219816 ) on Tuesday August 02, 2022 @02:35PM (#62756672)
          They don't have to be a covered entity, they are a business associate, and: [ecfr.gov]

          A business associate may use or disclose protected health information only as permitted or required by its business associate contract or other arrangement pursuant to 164.504(e) or as required by law. The business associate may not use or disclose protected health information in a manner that would violate the requirements of this subpart, if done by the covered entity, except for the purposes specified under 164.504(e)(2)(i)(A) or (B) if such uses or disclosures are permitted by its contract or other arrangement.

    • Re: (Score:2, Informative)

      by taustin ( 171655 )

      Facebook isn't the medical provider, and thus isn't subject to HIPAA. The hospitals, however, are, and should be held brutally accountable. (And they, in turn, may well have a case against Facebook, if lies were told by their marketing droids.)

      • by LeeLynx ( 6219816 ) on Tuesday August 02, 2022 @02:36PM (#62756676)
        Medical providers are not the only entities covered by HIPAA.
        • by taustin ( 171655 )

          True. Health plans and healthcare clearinghouses are, as well. Facebook is neither.

          • Those too. Also, business associates of all of the above are *also* subject to HIPAA. Guess what Facebook is here?
      • Re: (Score:2, Informative)

        by sdinfoserv ( 1793266 )
        HIPAA covers the type of information, who's stealing it is not relevant. The hospitals have quite a bit of culpability here for not fully understanding what was being leaked from their websites. If however it comes back the Facebook failed to disclosed the data they were harvesting (aka lying), there are deeper ramifications, perhaps fraud.
        • by taustin ( 171655 )

          HIPAA covers the type of information, who's stealing it is not relevant.

          You are mistaken. [hhs.gov]

          From the authoritative source - the government agency that enforces the law:

          "A Covered Entity is one of the following:
          A Health Care Provider A Health Plan A Health Care Clearinghouse"

          Facebook is none of these entities.

          The hospitals have quite a bit of culpability here for not fully understanding what was being leaked from their websites. If however it comes back the Facebook failed to disclosed the data they were harvesting (aka lying), there are deeper ramifications, perhaps fraud.

          None of which are HIPAA related in any way.

          • Ask your HR department if they have to manage "HIPAA" data. They're answer will be yes, even though they're not a "health care clearing house".
    • This is a blatant HIPAA violation. It demonstrates FB’s complete lack of regard for existing laws and basic security (yours that is). This is the face of unrepentant greed, profit at any cost, sell your mother for buck.. aka neoliberal capitalism. We’ll see what happens, but my guess is nothing. Our only recourse is to drop FB. Don’t use their apps or hand your private life to these carpet baggers.

      Also shows just how little accountability employees of these companies have to the public. These employees conjure up the ideas, in the name of profits, knowing full well that if the government cracks down and applies penalties the company C. Corp standing will absorb the penalty while the company rakes in massive profits. This negligence happens all the time, and its disgusting. Capitalism at its finest.

  • If you buy a book from a bookstore, are you liable if the book contains private medical information? Meta simply bought this information and told the seller to certify that the information is sent with patient's permission. This is purely hospital's duty and only if hospital's are bankrupt then Meta is liable for violation here.

    The second allegation is about Meta using the information for serving ad. This could open up door for liability for Meta. However, here the patients will have to show an actual harm

    • If you take the private medical information in that book, and transcribe it into your own notes, you sure as hell are violating HIPAA. Not knowing what data you are collecting is not a valid excuse for this sort of violation- it is in fact what the laws are trying to prevent.
      • If you find someone's medical records in a book in a bookstore, you are in no way bound by HIPAA. You can make copies and post them on every lamp post you can find without violating HIPAA. That's not how HIPAA works, and that's not the problem with the analogy.
    • Meta simply bought this information and told the seller to certify that the information is sent with patient's permission.

      Oh, really? Have you ever gone to a website and seen a notice telling you that your data is being collected and sent to a third party? If so, were you ever given any option to opt out other than leaving the site? The whole point of this issue is that it's being collected without the patient's knowledge or consent.
      • by u19925 ( 613350 )

        This is all hospital's fault. Meta does not own hospital websites. So the liability is with the hospitals, not Meta.

    • If you made prior arrangements with a hospital to handle that book on their behalf, with the express agreement that you would not use any PIA inside, and then used that information for an improper purposes under HIPAA, yes, yes you would be liable. You are really bad at analogies.
  • ..I installed No Script. When I logged into my hospital account I noticed that the browser was sending information to Facebook (which freaked me out a bit). After installing No Script, I blocked all ability (that I know of) for the browser to send back info to Facebook.
    • You blocked your browser doing it, but obviously you didn't stop their server doing it. Tracking is done using both client and server-side methods, and it's up to the organization to implement either or both.

  • Violating the privacy of its users is basically the business model of the Metastasis.

  • just claim it was an 'error' business as usual.
  • I hope someone will actually post if each of the 33 offending entities are fined 60K each. This needs followup. https://www.hipaajournal.com/w... [hipaajournal.com] 60K is nothing really, as a botched change says they do NOT have any QA that checks hippa compliance. That's negligence, and the providers have the option to sue their webadmin dudes for losses and loss of reputation.

The gent who wakes up and finds himself a success hasn't been asleep.

Working...