Governance & Risk Management , Privacy
Judge Denies Motion to Stop Health Data Scraping by Meta
Early-Stage Ruling in Proposed Class Action Privacy Lawsuit Could 'Evolve'A federal judge has denied granting a preliminary injunction sought against Meta to stop the company's Pixel tracking code in third-party healthcare websites from allegedly collecting and disseminating patient information for advertising purposes.
See Also: Using the Netskope HIPAA Mapping Guide
Plaintiffs in a proposed consolidated class action lawsuit in a San Francisco federal court sought the injunction, alleging that Facebook's parent company violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.
In his ruling on Thursday, U.S. District Judge William Orrick of the Northern District of California said that while the allegations against Meta are disturbing, the plaintiffs "do not meet the high standard required for a mandatory injunction" to be granted.
"To secure a mandatory injunction … plaintiffs need to show 'that the law and facts clearly favor [their] position, not simply that [they are] likely to succeed,''' he wrote.
"Our nation recognizes the importance of privacy in general and health information in particular: The safekeeping of this sensitive information is enshrined under state and federal law," Orrick wrote.
Meta's core defense in the case is that the company has measures in place, including policies and filtering, to address the alleged receipt of sensitive health information scraped by Pixel from websites upon which the tracking code is used (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).
Meta argues that it would be "unfairly burdensome and technologically infeasible for the company to take further action," the judge wrote.
"In light of the systems in place that Meta has created to block receipt of this sensitive information and the factual uncertainties, it is too early to find that the public interest supports a mandatory injunction," Orrick ruled. But he added, "Of course, my perspective may evolve as the factual record develops in the case."
Controversy Grows
The lawsuit seeks damages and is part of a wave of pressure against Meta regarding its collection and use of medical data. The issue surfaced this summer following the U.S. Supreme Court's decision to overturn precedent guaranteeing nationwide access to abortion. The ruling, known as Dobbs, increased concerns that tech companies track and possibly disclose individual health data to third parties.
Sen. Mark Warner, D-Virginia, wrote to Meta CEO Mark Zuckerberg in October to express concern over the company's ability to use its website tracking tools to obtain sensitive health data, including medical conditions, appointment dates and treating physician names.
So far, at least three healthcare entities have reported their use of Pixel as a HIPAA breach - North Carolina-based WakeMed Health and Hospitals; Advocate Aurora Health, a Midwest health system; and Indiana-based Community Health Network.