Let’s review:

  • Health information is sensitive.
  • Sharing it with third parties for advertising is more sensitive.
  • Doing it behind a log-in where there is no expectation of such tracking?
  • You’re a covered entity and didn’t have a Business Associate Agreement (BAA) in place?

A new class action lawsuit claims that a health system is using Meta Pixel on its website, within password protected patient portals.

“With the tracker present within password-protected patient portals, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address,” the lawsuit stated.

This is not good, especially in the wake of the Dobbs decision where reproductive health information is even more sensitive. All entities collecting health information need to take a close inventory of how it is collected and how it is shared.

Yes, even on the website.

Yes, even if it’s just a cookie.