Lawsuit accuses hospital of sharing patient health data with Facebook
This article was updated at 6:15 p.m EST with comment from an Overlake Medical Center spokesperson.
A proposed class action lawsuit filed Thursday alleges that a Seattle-area hospital allowed Facebook’s online tracking tools to integrate with its website, leading to personal health data belonging to hundreds of thousands of people to be shared with Meta and other third parties.
The plaintiff, Jacq Nienaber, alleges that Meta Pixel as well as the company’s Conversions Application Programming Interface, typically embedded in websites for marketing purposes, were present in Overlake Hospital Medical Center’s systems, behaving as a “wiretap.”
The lawsuit alleges that code built into “numerous web pages” on the hospital website allowed Meta, Facebook’s parent company, to capture patient information via their discussions with doctors and online health service requests.
Facebook did not respond to requests for comment.
Overlake spokesperson Ryan Hodges said the hospital's legal department had not been informed of the lawsuit.
"Until that happens, we would need more information and time to be able to formulate an appropriate response to the allegations detailed in this case," he said.
Last month the Federal Trade Commission (FTC) and Department of Health and Human Services (HHS) released a joint letter warning about 130 hospitals, telehealth providers, and health app developers of the “serious privacy and security risks” they face when using website and mobile app tracking technologies, including the Meta/Facebook pixel and Google Analytics.
The letter warned that the technologies “gather identifiable information about users as they interact with a website or mobile app, often in ways which are not avoidable by and largely unknown to users.”
Such disclosures not only reveal sensitive user information such as health conditions and diagnoses, the letter said, but also could result in identity theft, discrimination, and other devastating impacts on individual consumers.
The lawsuit makes the same argument, alleging that information the hospital shares with Facebook could allow Meta, along with third-party marketers, to know that a specific patient was seeking confidential medical care.
“This type of disclosure could also allow a third party to reasonably infer that a specific patient was being treated for a specific type of medical condition such as cancer, pregnancy, dementia, or HIV,” the lawsuit says.
It also argues that Overlake intentionally pushes patients to connect with its digital healthcare platforms with “the goal of increasing profitability” through the tracking technologies the FTC and HHS letter identified.
“The pixel allows Defendant to optimize the delivery of ads, measure cross-device conversions, create custom audiences, and decrease advertising and marketing costs,” the lawsuit says, noting that the pixel is an add-on not needed for the website to function.
The Nienaber lawsuit blames these tracking technologies for “automatically and surreptitiously” allowing Facebook to see a range of information class action members shared with Bellevue, Washington-based Overlake’s website, including “button clicks and selections, and text typed into search bar including conditions, symptoms, and treatments.”
Suzanne Smalley
is a reporter covering privacy, disinformation and cybersecurity policy for The Record. She was previously a cybersecurity reporter at CyberScoop and Reuters. Earlier in her career Suzanne covered the Boston Police Department for the Boston Globe and two presidential campaign cycles for Newsweek. She lives in Washington with her husband and three children.