Rounds

We're seeing hundreds of healthcare providers and other businesses targeted by class action lawsuits across the country, alleging the unauthorized disclosure of personally identifiable information (PII) and personal health information (PHI), and seeking civil damages for each disclosure. PII and PHI was gathered through the use of a tracker called Meta Pixel. Potential exposure from this litigation may be significant, and we wanted to be sure you are aware. Recently, a class action against a healthcare organization in the Northeastern United States alleging unauthorized disclosure of PHI, in part because of the Meta Pixel, resulted in a settlement of $18.4 million.

In addition to the exposure organizations may face from class action lawsuits, breach notifications and regulatory enforcement may also cause significant expense. The allegations of unauthorized disclosure of PHI and/or PII may thus be a violation of HIPAA as well as relevant state privacy laws prohibiting the unauthorized disclosure of PII/PHI to third parties. In just the past month, two large health systems have sent data breach notifications to approximately 3.5 million patients because of Meta Pixel.

What is Meta Pixel?

As a business owner, you need to know if your ads are reaching your customers. To do this, several companies including Facebook's parent company, Meta) offer tools like Meta Pixel to track website user interactions, using JavaScript code. Trackers run a script when a user visits a website in a browser, which can collect information in HTTP headers, button click data, form field names, and other user-specified data. Meta Pixel is added to a business website either manually by a developer or through a partner integration.

Businesses sometimes are not aware of the data that these tracker tools are collecting. If trackers are not configured correctly, they may collect sensitive user data. Approximately one third of U.S. Hospitals used Meta Pixel to track user activity on their websites, such as patient portals and appointment scheduling pages. Federal law, state law, and HIPAA require patient consent and a business agreement to share PHI between companies.

Recommendations

Share this bulletin with your Information Technology staff and/or third party IT service provider and seek their assistance.

We strongly encourage you to identify any specific forms or pages on your company websites containing Meta Pixel and removing it using the following information.

1. Use a tool to assess whether your website uses Meta Pixel: https://themarkup.org/blacklight.
   (Please note, we are unaffiliated with this third-party tool and cannot guarantee their product and service, such as detecting a pixel behind a log-in page. Since their product and service are not under our control, and we are not responsible for the content or any link on such sites or for the temporary or permanent unavailability of such third party sites or service.)
2. Remove Meta Pixel by following the instructions on the following links:
   • If, hardcoded on your website: https://www.facebook.com/business/help/4224030857607474
   • If plugin, direct website or partner integration, Google Tag Manager implementation: https://back2marketingschool.com/delete-facebook-pixel/

Sources & Additional Info

• https://www.digitaltrends.com/social-media/what-is-a-facebook-pixel/
• https://www.spectroomz.com/how-to-delete-facebook-pixel
• https://www.hipaajournal.com/meta-facing-further-class-action-lawsuit-over-use-of-meta-pixel-code-on-hospital-websites/