What The Meta Pixel Lawsuits Mean for Healthcare

The Meta Pixel lawsuits have now made their way to Louisiana.

These class action lawsuits began in 2022 and target healthcare providers nationwide. They allege that healthcare providers using the “Meta Pixel” website code potentially shared the confidential medical information of hundreds of thousands of patients in violation of the Health Insurance Portability and Accountability Act (HIPAA) and state privacy laws.

Here is what you need to know about these lawsuits and how to protect your facility from the ongoing threat of exposure to them.

Louisiana Hospitals Added to Class Action Lawsuit

According to multiple local and national news outlets, LCMC Health in New Orleans and Willis-Knighton Medical Centers in northwest Louisiana were recently named in class action lawsuits accusing both healthcare providers of sharing confidential patient health information via social media tracking tools.

The lawsuit claims that when patients made appointments on Louisiana hospital websites, Facebook's Pixel code could access their private medical data, such as their medical conditions, medications, and doctor's name. The information was then used to target ads to those patients on their social media accounts.

An example of this includes a woman who allegedly received online ads about heart disease and joint pain just moments after entering her information on one of the hospital websites.

Law firm Herman Herman & Katz — who filed the class-action suits — stated in a video that it plans to force LCMC and Willis-Knighton to stop using Meta Pixel. In addition, the firm wants any profit the healthcare providers made from allegedly selling patient data to be repaid to those impacted.

Federal law, state law, and HIPAA require patient consent and a business agreement to share patient health information (PHI) between companies. While the lawsuits allege that Meta Pixel collected and shared PHI in violation of Louisiana patient privacy laws, they do not directly mention HIPAA.

What Is Meta Pixel?

Ultimately, healthcare providers are businesses. And as a business owner, it is important to understand if your marketing efforts are reaching the desired audience. To do this, several social media companies (including Facebook and Instagram’s parent company, Meta) offer tools like Meta Pixel to track website user interactions, using JavaScript code.

Trackers are designed to collect information from users when they visit a website, gathering data such as HTTP headers, clicks, form fields, and anything else that has been specified. Meta Pixel can be easily added to a business website through manual coding or partner integration. Meta Pixel in healthcare is used on provider websites in multiple ways.

Businesses might not be conscious of the information their tracking tools are obtaining. If the trackers are not properly set up through the company's business settings, they could be gathering confidential user data.

An investigation by The Markup in June 2022 found that approximately one-third of the top hospitals in the United States used Meta Pixel to track user activity on their websites, using secure patient portals and appointment scheduling pages as data sources. After being contacted by the organization, seven hospitals and five health systems had removed Meta Pixel from their web pages as of the time of the report’s publication.

How to Protect Your Healthcare Facility

The following are recommendations from our cyber reinsurer, Tokio Marine, regarding how to protect your healthcare facility from exposure.

You are strongly encouraged to identify any specific forms or pages on your company websites containing Meta Pixel. Delete Meta Pixel using the following information:

1. Use a tool to assess whether your website uses Meta Pixel.

We have no connection to this external tool and cannot promise the quality of their product and services, such as recognizing a pixel behind a sign-in page. Since we are not in control of their products and services, we are not liable for the content or any links on the website or any interruptions in their services.

To remove Meta Pixel, please refer to the instructions found in the following links.

1. Remove Meta Pixel by following the instructions on the following links:

• If Meta Pixel is hardcoded on your website, use these instructions.

• If Meta Pixel is a plugin, direct website, partner integration, or Google Tag Manager implementation, use these instructions.

Looking Forward

The Meta Pixel lawsuits are a developing situation that will continue to evolve in 2023. While we expect more healthcare systems nationwide to face class action lawsuits based on similar arguments, it is impossible to predict exactly when and where they will occur.

We may not have a crystal ball, but LHA Trust Funds provides you with trusted resources to help your organization. Here are some of our sources — recommended by Tokio Marine — along with additional information:

• What is a Facebook Pixel? Meta’s tracking tool explained
• How to delete a Facebook Pixel
• Meta facing scrutiny over the use of Meta Pixel tracking code on hospital websites
  

Explore more resources about cyber security issues in our Cyber Risk Toolkit.