Apr 132016
 April 13, 2016  Posted by  Breaches, Business, Court, Featured News, Healthcare

Martha Neil reports:

A 2012 federal lawsuit over Facebook tracking of users filed by attorney Paul Kiesel was dismissed last year, with leave to refile.

U.S. District Judge Edward Davila said the plaintiffs in the San Jose, California, case didn’t make clear how they suffered “a realistic economic harm or loss” due to continued tracking by advertising cookies after they logged out of their Facebook accounts, as Bloomberg reported at the time.

But Kiesel is trying again. In another federal court complaint filed in San Jose last month, he accuses Facebook and a number of medical groups of violating the Health Insurance Portability and Accountability Act by disclosing medical information about Facebook users without their express consent, reports the International Business Times.

The problem, according to the suit, is cookies that track web searches made by Facebook users on cancer organization sites. Although the user’s name may not be provided to third parties along with the subject of their searches, HIPAA prohibits gathering or sharing medical information without express consent from the individual, explains the Richmond Journal of Law & Technology.

“Facebook is capturing users’ searches for medical information from medical websites without users ever knowing this sensitive data is being shared with Facebook, for marketing and other purposes,” Kiesel told the IBT.

The suit also accuses Facebook of violating the privacy laws of multiple states and federal wiretap law by collecting data without appropriate authorization. It says Facebook creates marketing profiles for its 225 million users that enable companies to target them with advertising for conditions including pregnancy, diabetes, addiction and HIV/AIDs, reports Courthouse News.

Read more on ABA Journal.  As I commented on Twitter tonight, Facebook is not a HIPAA-covered entity, therefore if the complaint alleges they violated HIPAA, that should get tossed (in the world according to Dissent). The hospitals, on the other hand, may find themselves in a difficult situation. Even if they didn’t know that their sites were transmitting data to Facebook, they are responsible for protecting information.

Under HIPAA, the sites may be responsible for protecting patients’ protected health information (PHI). There are 18 elements to PHI that can personally identify a patient, including IP address and URL. So if site visitor’s IP address and urls they visit are transmitted to Facebook without the individual’s express consent, the plaintiffs may have some actual grounds to claim HIPAA violation.

Yes, I realize that site visitors are not necessarily patients, and that the site’s web site privacy policy should control and not HIPAA, but as has been pointed out in other situations, if you’re a HIPAA-covered entity in one situation, you’re a HIPAA-covered entity, so maybe HIPAA protections also apply to those who are just web site visitors.

This will be an interesting case to watch.

Related: Complaint in Smith v. Facebook.

  2 Responses to “Facebook capture of medical info from web searches by users violates HIPAA and other laws, suit says”

  1. I may be confused. I am not sure why users would be using the Facebook search engine to be looking for specific information. There are tons of search engines that do not require Facebook login. I am just perplexed on that one alone.

    Also, A LOT of people post their medical x-rays, scans, ultra sounds (to announce pregnancies) or to keep people in their network up to date on their current medical conditions. (I personally think that is a lot of information to share on Facebook, but who am I to judge). Is it possible, those images or words and hashtags are part of the problem too?

  2. You are confused. They’re searching on the medical web sites and their data are being transmitted to Facebook via tracking cookies.

    What doesn’t seem to be covered in the lawsuit is what happens to people who are not registered Facebook users. It would seem that their data may also be sent to Facebook, but I’m not sure I understand the tech details of FB’s tracking well enough to be sure about that.

Sorry, the comment form is closed at this time.