Class Action Alleges Advocate Aurora Failed To Obtain Patient’s Consent To Share Private Health Data
A class action lawsuit was recently filed against Advocate Aurora Health Inc. and Meta Platforms Inc. (Facebook) alleging that Aurora shared confidential Private Health Information (PHI) with Facebook through computer code embedded on Aurora Health’s websites and apps.
Advocate Aurora Health, one of the Chicago area’s largest healthcare providers, stated that the PHI of up to 3 million patients are being sent to Facebook and Google. Facebook and Google share this information with third parties for a fee without patients’ knowledge or consent..
Healthcare providers, like Advocate Aurora, have a fiduciary duty under the Health Insurance Portability and Accountability Act of 1996 (HIPAA) and other federal regulations to keep patient information confidential unless the patient authorizes the provider to share the data.
The lawsuit also alleges Advocate Aurora violated the Electronic Communications Act and Stored Communications Act, as well as breach of contract, breach of implied duty of confidentiality and invasion of privacy.
Advocate Aurora’s Use of Internet Tracking Tools On Its Websites Enabled Data Sharing
Advocate Aurora explained in a statement on its website that through its use of internet tracking technologies certain interactions on the provider’s website were transmitted to Facebook and Google.
Advocate Aurora collects and shares the PHI through a snippet of programming code called a “Meta Pixel.” Once the Meta Pixel is installed on a webpage or mobile app, it tracks users as they use a website or app and sends information about their usage to Facebook, according to the complaint.
Advocate Aurora Benefited Financially Through Its Use Of Facebook Pixel
The complaint alleges that Advocate Aurora installed the Meta Pixel “because it benefits financially from the targeted advertising and information services that stem from the use of the Pixel.”
Advocate Aurora reportedly encourages its patients to utilize its’ secure LiveWell and MyChart portals to communicate with doctors, access test results, schedule appointments, request prescription refills and view account details.
According to the lawsuit, whenever a patient uses Advocate’s websites and applications, including its LiveWell and MyChart portals, Advocate and Facebook cause transmission of personally identifiable patient information and PHI without patients’ knowledge, consent or authorization.
Facebook “requires” businesses that use the Meta Pixel to have the legal right to collect, use and share data, but the social media giant allegedly stops short of verifying that businesses have obtained consent to share such data.
Advocate Removes Pixel After Use Of Tracking Tool Became Public
The health system said it has disabled and/or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted to third-party vendors.
“Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health’s platforms, may have been affected,” Advocate Aurora Health officials wrote in the statement.
Advocate Aurora had advised patients to use browser tracker-blocking features or incognito mode when logging into medical portals. It also suggests that those Facebook or Google accounts examine their privacy settings.
The lawsuit seeks damages and other relief.