Upperline Health Sharing Health Information With Advertisers To Improve Profits Featured
Upperline Health’s website uses tracking technology to report visitors personal health information to third parties in violation of privacy laws.
What happened?
A lawsuit was recently filed against Upperline Health, one of the nation’s largest provider network dedicated to specialty value-based foot and ankle care, alleging that the Company is engaged in the illegal and widespread practice of disclosing the confidential Personally Identifying Information (“PII”) and Protected Health Information (“PHI”) to third parties in violation of federal privacy law.
The lawsuit alleges that Upperline uses “Pixel” tracking technology to surreptitiously transmit website visitor interactions to large third party tech companies such as Facebook (Meta), Google, Microsoft, StackAdapt, CallRail and others.
Why is this important?
In order to combat the widespread dissemination of personal health information, the United States Department of Health and Human Services in 1996 established the Health Insurance Portability and Accountability Act (“HIPPA”). This Act sets out the standards for the privacy of individually identifiable information. Health care providers are governed by this rule and are required to protect PPI and PHI.
Under the HIPPA privacy rule, no health care provider can disclose a person’s PPI or PHI to a thrid party without express written authorization.
Upperline knew that use of Meta Pixel technology would transmit sensitive information to third parties.
The lawsuit alleges that Upperline offers various web-based tools that enable users to pay bills, complete patient paper work, view and offer services, find a doctor, find a location and more.
According to the lawsuit, the Meta Pixel technology was present on Upplerline’s websites from at least January 28, 2021 to and until April 3, 2023. Upperline knew or out to have known that by using this technology it was transmitting users private and confidential information to Facebook (Meta) without a users express written consent.
Upperline also implemented Facebook’s Conversion Applications Programming Interface to get around ad blockers.
Unlike the Meta Pixel, which co-opts a website user’s browser and forces it to transmit informaiton to Facebook in addition to the website owner, Facebook’s Conversion Applications Programming Interface (“CAPI”) does not cause the user’s browser to transmit information directly to Facebook. Instead, CAPI tracks the user’s website interactions, including private information then records and stores the information on the website owner’s server, and then transmits the data to Facebbok from the owners server.
Facebook encourages website owners and developers to use the CAPI and markets CAPI as a “better measure of ad performance and attribution across your customer’s full journey, from discovery to coversion. This helps you better understand how digital advertising impacts both online and offline results.”
In reality Facebook wants the ability to circumvent any ad blockers or other denials of consent by the website user that would prevent the Meta Pixel from sending the website users’ private information to Facebook directly.
Upperline knowingly installed a host of other data trackers for the sole purpose of improving profits and at patients’ expense.
Upperline also installed on its websites additional tracking technology including Facebook Events, Google Analytics with Google Tag Manager, Microsoft Universal Event Tracking, StackAdapt, and CallRail. On information and belief, these trackers operate similarly to the Meta Pixel and transmit a website user’s private information to other third parties.
According to the lawsuit, Upperline used these data trackers to bolster its profits in knowing defiance of user privacy laws.
Class action seeks to compensate patients for a host of expenses that could be incurred as a result of data disclosure.
The class action is open to anyone who used Upperline’s website to enter information or make enquiries.
In addition to seeking an award of actual, compensatory and statutory damages as well as penalties associated with violating users privacy laws, the lawsuit also is requesting that Upperline pay for not less than three years of credit monitoring for each affected user.