WakeMed sued again for sharing ‘protected health information’ with Facebook
WakeMed is facing yet another lawsuit over a digital tracker on its website that sent sensitive patient health data to Meta, the parent company of Facebook.
The ‘Meta pixel’ was installed on the health system’s appointment scheduling page and on its password-protected patient portal, potentially giving the advertising giant access to information about patients’ health conditions, contact information and vaccination status, an investigation by The Markup and STAT, two nonprofit news organizations, found in June.
The class action complaint, which focuses on a Raleigh woman, claims the health system failed to adequately protect patient information, train its employees and comply with industry-standard data security practices. Ultimately, the lawsuit argues, the health system unlawfully disclosed the plaintiff’s personally identifiable information and protected health information without her consent.
“(It) is an egregious breach of the duty it owed its patients to keep their Private Information confidential and secure from unauthorized disclosure,” the lawsuit says.
A spokesperson for the health system said it does not comment on pending litigation.
The lawsuit filed in federal court also claims that WakeMed knew patient health information was compromised in June 2022, yet still waited several months before notifying the patients who were potentially impacted.
WakeMed sent a letter last month to about 495,000 patients, including the lead plaintiff, that warned them that their data might have been compromised.
Meta markets the pixel as a way for companies to track the effectiveness of targeted advertisements, by following the users’ online activity after seeing the ad in question. WakeMed installed the pixel in 2018 for “website optimization and to improve the user experience,” the letter to patients read.
WakeMed — which serves hundreds of thousands of patients a year — removed the pixel in May after being contacted by The Markup, the technology investigative news outlet that originally reported the data leak.
The personal health data collected from WakeMed’s websites was sent along to the advertising giant along with an IP address, which could be used to trace the health data back to a specific individual or household, according to the Markup investigation.
Health data could also be linked to a patient’s Facebook account and geographic location, the lawsuit said.
A similar class action lawsuit against Meta alleged that after a pixel on the University of California San Francisco and Dignity Health patient portal sent medical information to Meta, a patient was served advertisements about her heart and knee conditions.
This is at least the second lawsuit North Carolina hospitals have faced following news that several of the largest health systems, including Duke Health, Novant Health and Atrium Health, sent patient data to Meta.
A lawsuit filed in September against Meta, WakeMed and Duke Health similarly claimed the hospitals violated their contracts with patients by capturing and sending their data to an unauthorized third party.
Teddy Rosenbluth covers science and healthcare for The News & Observer in a position funded by Duke Health and the Burroughs Wellcome Fund. The N&O maintains full editorial control of the work.
