Martha Neil reports:
A 2012 federal lawsuit over Facebook tracking of users filed by attorney Paul Kiesel was dismissed last year, with leave to refile.
U.S. District Judge Edward Davila said the plaintiffs in the San Jose, California, case didn’t make clear how they suffered “a realistic economic harm or loss” due to continued tracking by advertising cookies after they logged out of their Facebook accounts, as Bloomberg reported at the time.
But Kiesel is trying again. In another federal court complaint filed in San Jose last month, he accuses Facebook and a number of medical groups of violating the Health Insurance Portability and Accountability Act by disclosing medical information about Facebook users without their express consent, reports the International Business Times.
The problem, according to the suit, is cookies that track web searches made by Facebook users on cancer organization sites. Although the user’s name may not be provided to third parties along with the subject of their searches, HIPAA prohibits gathering or sharing medical information without express consent from the individual, explains the Richmond Journal of Law & Technology.
“Facebook is capturing users’ searches for medical information from medical websites without users ever knowing this sensitive data is being shared with Facebook, for marketing and other purposes,” Kiesel told the IBT.
The suit also accuses Facebook of violating the privacy laws of multiple states and federal wiretap law by collecting data without appropriate authorization. It says Facebook creates marketing profiles for its 225 million users that enable companies to target them with advertising for conditions including pregnancy, diabetes, addiction and HIV/AIDs, reports Courthouse News.
Read more on ABA Journal. As I commented on Twitter tonight, Facebook is not a HIPAA-covered entity, therefore if the complaint alleges they violated HIPAA, that should get tossed (in the world according to Dissent). The hospitals, on the other hand, may find themselves in a difficult situation. Even if they didn’t know that their sites were transmitting data to Facebook, they are responsible for protecting information.
Under HIPAA, the sites may be responsible for protecting patients’ protected health information (PHI). There are 18 elements to PHI that can personally identify a patient, including IP address and URL. So if site visitor’s IP address and urls they visit are transmitted to Facebook without the individual’s express consent, the plaintiffs may have some actual grounds to claim HIPAA violation.
This will be an interesting case to watch.
Related: Complaint in Smith v. Facebook.