Two more prominent health systems have joined the ranks of organizations facing lawsuits claiming that they shared the personal information of patients with Meta, the parent company of Facebook.
Orlando Health faces a class action lawsuit in the U.S. District Court Middle District of Florida from a current patient alleging that the health system disclosed their personally identifiable information and protected health information (PHI) to third parties, including Meta.
The lawsuit asserted that the Facebook Tracking Pixel was embedded on Orlando Health’s website and transmitted details about the patient’s medical conditions to the social media giant. The suit also alleges that the Pixel is customizable and programmable by the website owner, which in this case is Orlando Health.
An Orlando Health spokesperson told Florida Politics that it doesn’t comment on pending litigation.
Meanwhile, U of L Health, based in Louisville, faces allegations from the mother of a pediatric psychiatric patient that the provider shared its PHI with Meta. Similar to its Florida-based counterpart, the lawsuit alleges that U of L Health embedded the Pixel on its website and sent data about prescription drug histories and diagnoses to Meta.
Like Orlando Health, a spokesperson for U of L Health told the Louisville Courier Journal that it does not comment on pending litigation but added that PHI is “not accessible by Meta Pixel on their website.”
Additionally, Meta told the outlet that it filters out sensitive health information from being “ingested into our ads ranking and optimization systems.”
Orlando Health and U of L Health are among several notable hospitals and health systems across the country that have faced legal action in recent months related to Meta’s alleged collection of personal patient data.
Others include Advocate Aurora, WakeMed, Northwestern Memorial Hospital, UCSF Medical Center and Dignity Health Medical Foundation.
In light of growing concerns around online tracking technologies, the Office for Civil Rights at the Department of Health and Human Services issued a bulletin in December to underscore the obligations of Health Insurance Portability and Accountability Act of 1996 covered entities and business associates.
“An impermissible disclosure of an individual’s PHI not only violates the Privacy Rule but also may result in a wide range of additional harms to the individual or others,” the bulletin read.
Beyond the legal repercussions and reputational risk associated with PHI being shared with third parties, there is a financial consideration as well for healthcare organizations when it comes to handling sensitive information.
Data breaches have become a much more frequent and expensive concern for the sector at large.
An IBM report released last year estimated that the average total cost of a data breach in the healthcare industry is $10.1 million, up 42% since 2020.