Lawsuit Alleges Iowa Health Center Sent PHI to Facebook

Latest in a String of Similar Proposed Class Actions Across Healthcare Industry

The University of Iowa Health Care is facing a proposed class action lawsuit alleging it used website tracking pixels to transmit patient data to Facebook. The claim is the latest in a string of legal actions against other healthcare centers that pasted Facebook Pixel and similar online behavior tracking codes into their patient portals. Concerns, and lawsuits, over the use of web trackers by the healthcare industry have increased significantly in the last 9 months.

The complaint alleges that the Iowa medical center “purposely and intentionally” installed the pixel and conversions API to “surreptitiously share its potential and current users’ private and protected communications with Facebook,” including information protected by HIPAA.

Facebook faces a consolidated putative class action lawsuit in the U.S. District Court for the Northern District of California, alleging the social media giant violated medical privacy laws by obtaining data from its web tracking Pixel tool embedded into patient portals and scheduling apps.

UIHC, in a statement to Information Security Media Group, said the allegations are unfounded. “University of Iowa Health Care is committed to protecting patient privacy. We do not share protected health information of our patients with Meta or Facebook.”

Plaintiff attorney Brian Marty of Shindler, Anderson, Goplerud & Weese said, “The facts alleged in the complaint speak for themselves, as well as the dozens of other lawsuits filed across the country alleging the same or similar misconduct by healthcare providers.”

The Department of Health and Human Services has since warned that commercial web traffic trackers embedded into patient portals may violate privacy law. A growing number of healthcare companies are treating past use of trackers as a reportable data breach incident. The department’s top HIPAA enforcer said in early April that regulators will “hopefully soon” bring an enforcement action for tracking-tool-related HIPAA violations.

Having web-tracking tools in the vicinity of PHI is always a risk. Acceptable marketing practices in other industries will often run afoul of regulations in the healthcare world.

If you have questions about IT security, PHI protection, and the changing threat landscape, call ITPAC today.