As we discussed in a recent webcast, there has been a surge in litigation focused on companies’ use of Meta Pixel, which is tracking code that enables the sharing of user online activity with Facebook. Recent litigation has alleged that use of Meta Pixel with online videos violates the Video Privacy Protection Act (VPPA). An even more recent variant of Meta Pixel litigation alleges that use of Meta Pixel constitutes wiretapping under federal and state wiretapping laws. These recent cases have focused on hospitals that have enabled Meta Pixel for patient portals and thus allegedly allow Meta to eavesdrop and/or wiretap private doctor-patient communications, allegedly violating HIPAA, state healthcare privacy laws, and a host of other state privacy laws – in addition to wiretapping laws.
A recently filed case, Stewart v. Advocate Aurora Health, Inc. (N.D. Ill), is a good example of this recent trend in Meta Pixel litigation. The case alleges that Advocate configured Meta Pixel to track patient communications through its patient portal, allowing Meta to capture in real time medical information of Advocate patients. The complaint alleges that Advocate recently disclosed the sharing with Meta Pixel under applicable data breach notification laws, which Plaintiff alleges is evidence that Advocate and Meta had not obtained patient consent to the alleged interception/eavesdropping of communications.
The lawsuit asserts claims against Advocate and Meta under the Electronic Communications Privacy Act, which provides liquidated damages of up to $10,000 per person for wiretap violations, the Stored Communications Act (SCA), as well as Illinois state law claims for breach of contract, breach of implied duty of confidentiality, and invasion of privacy. There have been at least half a dozen similar class action lawsuits filed in the past two months against hospitals and Meta under similar theories of liability, and it is likely that plaintiff’s attorneys will file more in the coming months. Indeed, a recent study by Markup asserts that one third of the 100 largest hospitals in the U.S. share patient PHI through their websites with Meta.
The recent variant in Meta Pixel litigation combines allegations about the usage of Meta Pixel, prevalent in recent VPPA cases, with recent favorable rulings in the Third and Ninth Circuits finding that tools like Meta Pixel intercept communications under state wiretap laws. The litigation against Advocate raises a number of thorny legal issues, such as whether Meta’s terms of service immunize Meta from liability for a website operator’s configuration of Meta Pixel, the extent to which patient consent can be inferred from website disclosures, and the availability of liquidated damages in the absence of actual damages under the SCA. In the short term, however, it is likely that plaintiff’s lawyers will continue to pursue wiretap claims against hospitals allowing Meta Pixel to run on patient portals. Hospitals would be wise to review their usage of tools like Meta Pixel and to consider changes to their privacy policy and/or obtain formal patient consent.