Facebook capture of medical info from web searches by users violates HIPAA and other laws, suit says
Updated: A 2012 federal lawsuit over Facebook tracking of users filed by attorney Paul Kiesel was dismissed last year, with leave to refile.
U.S. District Judge Edward Davila said the plaintiffs in the San Jose, California, case didn’t make clear how they suffered “a realistic economic harm or loss” due to continued tracking by advertising cookies after they logged out of their Facebook accounts, as Bloomberg reported at the time.
But Kiesel is trying again. In another federal court complaint filed in San Jose last month, he accuses Facebook and a number of medical groups of violating the Health Insurance Portability and Accountability Act by disclosing medical information about Facebook users without their express consent, reports the International Business Times.
The problem, according to the suit, is cookies that track web searches made by Facebook users on cancer organization sites. Although the user’s name may not be provided to third parties along with the subject of their searches, HIPAA prohibits gathering or sharing medical information without express consent from the individual, explains the Richmond Journal of Law & Technology.
“Facebook is capturing users’ searches for medical information from medical websites without users ever knowing this sensitive data is being shared with Facebook, for marketing and other purposes,” Kiesel told the IBT.
The suit also accuses Facebook of violating the privacy laws of multiple states and federal wiretap law by collecting data without appropriate authorization. It says Facebook creates marketing profiles for its 225 million users that enable companies to target them with advertising for conditions including pregnancy, diabetes, addiction and HIV/AIDs, reports Courthouse News.
A Facebook representative told the IBT that the suit has no merit and promised a vigorous defense.
“We take privacy very seriously and comply with applicable laws related to the collection and use of personal information,” the company said in a written statement. “Our policies state clearly that companies’ websites are prohibited from sharing health and other sensitive information with Facebook when using our advertising services.”
However, Facebook’s privacy policy and terms of use make no express reference to “health” or “medical” matters, the IBT article says, although they do say Facebook can get information from other websites and apps.
A spokeswoman for Facebook disagrees, pointing out in an email to the ABA Journal that posted advertising terms include a statement that: “You agree not to transfer or disclose any personally identifiable information to Facebook or combine any information obtained in connection with these terms with personally identifiable information. You further agree that you will not share with us information that you know or reasonably should know is from or about children under the age of 13 or that includes health, financial, or other categories of sensitive information.”
Meanwhile, according to the suit, websites of defendant health groups don’t expressly say that they transmit tracking information to Facebook.
Related coverage:
ABAJournal.com: “Lawyer Sues Facebook, Says Tracking Cookie Violates Wiretap Laws, Seeks Class Action Status”
ABAJournal.com: “Health data isn’t secure; ‘antiquated’ HIPAA needs to regulate Facebook and Google, experts say”
See also:
ABAJournal.com: “Is your photo online? Are you on Facebook? If so, retailers can ID you and your shopping profile”
Updated on March 14 to include advertising terms information from Facebook spokeswoman.