All manner of healthcare companies are under scrutiny for their data privacy practices. Recent reporting—and our independent investigation has confirmed—that hospital systems, medical providers, telehealth companies, online pharmacies and other similar companies are sharing extremely private and confidential health information with various third parties (like Facebook (Meta), Google and others) for marketing purposes via pixels embedded in their sites. 

What is a Pixel?

A pixel is a JavaScript snippet which, when added to website codes, allows developers to track user activity. So, for instance, when patients visit their hospital’s website to schedule an appointment, chat with their provider or engage in all manner of other confidential communications, these pixels can be configured to automatically send these (and other) communications to third parties like Facebook, for example. Once received by Facebook, that information can be combined with additional information (if the patients have a Facebook account) to create a robust profile. Working with those third-party marketers, the hospitals and other healthcare entities use that to send advertisements and develop other marketing strategies to increase revenue.

The problem with this approach is that hospitals and telehealth sites are often not informing their patients that their confidential health information is being shared with third parties in violation of Healthcare Insurance Portability and Accountability Act (HIPAA). And, oftentimes the information being shared is extremely sensitive and private like, for instance, treatments for addiction or mental health issues (which unfortunately still carry certain stigmas in our society).

According to Facebook’s 2018 response to a congressional questioning, there were 2.2 million pixels installed on websites across the internet. 

How does HIPAA protect patient data?

HIPAA is a federal law that protects a range of patient health information. Under HIPAA, healthcare providers and health plans cannot disclose this sensitive data without individual authorization.  

HIPAA specifically prohibits healthcare entities from selling or disclosing protected health information for marketing use without first obtaining patient consent. Unfortunately, numerous hospital and telehealth websites may violate these regulations through their use of pixels, as described above.

Which healthcare companies share healthcare data in this manner?

In January 2022, The Markup announced a joint investigation with Mozilla Rally into Meta Pixel and the scope of its data collection. Since then, The Markup has identified numerous hospital and telehealth websites that may use various tracking technologies to collect and to share personal and protected health information without informed consent

According to The Markup, dozens of telehealth websites may track patient activity through pixels and other tracking plugins. Using Markup’s tool, ProPublica found that various online pharmacies may share sensitive data about patients filling medications used to end pregnancies. In addition to the fact all patients are entitled to security in their private and protected health information, there are very tangible consequences of these undisclosed data practices.

For instance, if private information regarding a person’s substance abuse or addiction treatment was collected and shared with Facebook, such information could be associated with the patient’s Facebook profile to create a very robust data profile for marketing purposes. Similarly, a patient purchasing “morning after” medication from an online pharmacy should not have to be concerned that, depending on the state where they reside, that such information could be subpoenaed and turned over to law enforcement to prosecute abortions or to be subject to harassment by anti-abortion activists.

Consumers who visited these websites, portals or apps may have had their information unlawfully shared without their consent in violation of HIPAA and other privacy laws. If you are concerned that your privacy rights have been violated, we encourage you to get in touch.

We are at the forefront of litigation regarding the use of tracking technologies by healthcare entities; some of the cases we are currently litigating:

These are the hospital and telehealth pixel cases we are litigating: