Lawsuit claims Facebook had access to Jefferson’s private patient portal

Robert Stewart used his Jefferson Health online patient portal to discuss ways to manage his diabetes with his doctors. Shortly after, his Facebook feed was full of ads for Ozempic and other medications to treat the condition.

The Philadelphia man says in a federal class action lawsuit that Jefferson violated his privacy rights by enabling Facebook to track confidential health information and match it to social media profiles.

Jefferson is among a growing number of health systems facing lawsuits that claim they allowed Facebook’s third-party tracking technology, Meta Pixel, access to private patient information. The lawsuit says Jefferson patients were tracked on the health system’s public-facing homepage, as well as within a password-protected portal where doctors and patients communicate directly.

Main Line Health, Redeemer Health, and Tower Health have faced similar accusations in lawsuits testing patient protection laws that were written before the age of social media networks and mobile apps.

The cases could offer a rare look into health systems’ interactions with now-ubiquitous third-party tracking, which lets businesses learn about their customers’ interests to better target advertising. Retailers use tracking to get insight on what types of clothes and shoes their customers like best, and media companies use it to tailor news feeds to topics of interest to their readers.

But in health care, the practice has been controversial because people’s medical information is protected by HIPAA, a federal privacy law that prohibits doctors, hospitals, and insurers from sharing personal details about patients without their permission.

In the Jefferson case, the concern about trackers embedded within the secure portal is especially worrisome, Stewart’s lawyers said, because patients logging in expect the same level of privacy as inside a doctor’s office. They declined to make Stewart and another patient named in the lawsuit available for interviews.

Jefferson denies using Meta Pixel on its patient portals in legal filings. It acknowledged using third-party tracking technology on its public-facing websites, which do not contain private medical information. The health system declined further comment because the lawsuit is pending.

As courts grapple with the legal issues surrounding third-party tracking, many hospital systems nationally have moved away from the practice.

An Inquirer analysis found that most hospital systems in the Philadelphia area (including Jefferson) do not currently use Meta Pixel on their publicly-facing webpages. That’s a shift from three years ago, when an analysis by University of Pennsylvania researchers found that the vast majority of hospital websites used the technology.

“Doctors and hospital systems have a clear duty to do no harm through their websites,” said Albert Fox Cahn, executive director of Surveillance Technology Oversight Project (STOP), a New York-based civil rights and online privacy nonprofit that is not involved in the lawsuit. “It really is indefensible to see health-care providers using tracking technologies that put profits ahead of patients.”

Nearly 99% of hospital websites had third-party trackers installed in 2021, according to a Health Affairs study by University of Pennsylvania researchers.

Meta offers a tool that allows anyone to check if the company’s tracker is embedded on a specific webpage. The Inquirer used this tool, Meta Pixel Helper, on the websites of more than 40 hospitals in the Philadelphia area and found that two had Meta Pixel installed on their public-facing websites: Crozer Health and Shriners Children’s Philadelphia.

Crozer and Shriners did not respond to requests for comment.

The search is a snapshot in time, as Meta Pixel can be easily turned on or off. This means hospitals that did not have Meta Pixel in use when The Inquirer checked in mid-November could have been using it when Penn checked for its 2021 study.

For example, an analysis by STAT News and The Markup of Newsweek’s top 100 hospitals found the tracker on a third of websites in 2022. Among those with active trackers at the time were Penn Medicine and Jefferson webpages.

The Inquirer’s analysis focused on Facebook’s Meta Pixel because it is commonly used and has been the focus of the litigation. But other companies, including Google, use similar trackers.

The Inquirer wasn’t able to check whether Pixel has been embedded on patient portals, which are password-protected and only accessible to patients.

But the ongoing lawsuits indicate the practice remains an issue, and it can be difficult for patients to win in court.

This month, a federal court dismissed a case that accused Tower Health of using Meta Pixel because “the facts simply weren’t there and weren’t coming,” U.S. District Judge John Murphy said in the decision. For example, the patients’ complaints did not describe “specific HIPAA-protected information that was transmitted to Meta,” he said.

Main Line Health and Redeemer Health are facing similar claims to Jefferson.

In both cases, patients’ lawyers have revised their original complaints multiple times in an attempt to show enough evidence for the case to proceed in court.

Spokespersons for Main Line, Tower, and Redeemer declined to comment.

Some health systems may not realize the technology is baked into their websites. Technology managers that contract out website development may not be fully aware of the unique security and privacy concerns in health care, said Andrew Tomlinson, senior director of regulatory and international affairs for the American Health Information Management Association (AHIMA), which represents health IT managers.

“It’s a challenge, but organizations have to understand what they’re using,” he said. “There’s no excuse.”

In the Philadelphia region, the case against Jefferson has cleared a critical hurdle other lawsuits have not: A judge in September denied the health system’s request to dismiss, allowing the case to advance against the health system, whose 32 hospitals and $10 billion annual revenue make it the largest in the region and a national leader.

“Thousands of people” could have been affected by Jefferson’s alleged use of Meta Pixel, the lawsuit against it says. The complaint asks for as much as $10,000 for each person affected.

The lawsuit alleges that Meta had access to information about when patients logged into the portal, when they scheduled appointments, and information they typed into the appointment form.

Meta also had access to website URLs that describe where patients go after using the portal, such as what providers, specialists, and medical condition pages they visited on Jefferson’s website, the lawsuit claims.

Patients were not notified that their information would be shared and did not give permission, the lawsuit claims. HIPAA requires health-care providers to get patient permission before sharing their health information.

“These folks disclosed personal, private, privileged information that was then transmitted from a provider who is sworn to keep this secret in the vault,” said James Zouras, partner at Stephan Zouras, a national law firm in Chicago representing the class action.

The two named plaintiffs, Stewart and Nancy Murphy, suspected that their health information had been compromised when they started seeing Facebook ads related to medical issues, such as diabetes, kidney stones, and smoking cessation that they had discussed with Jefferson providers through the patient portal.

Zouras declined to make either available for an interview.

His lawsuit also says Jefferson received reports from Meta that offered analysis on how people used its websites and used the data for commercial purposes.

Jefferson said that it never used Meta Pixel on any of its patient portals, defending its use of third-party trackers on its public-facing websites as in line with “most websites on the internet.”

“The deployment of these tools enabled Defendant to measure browsing traffic, ensure website optimization, and increase awareness of the services offered by Jefferson Health to the community at large,” the system said in court filings.

Boston-area health systems agreed to a high-profile $18.4 million settlement in 2022 for their use of third-party trackers, sparking interest among academics and attorneys in the issue. The Biden administration later that year tried to prohibit the practice, but a federal judge in Texas ruled this summer that the U.S. Department of Health and Human Services didn’t have the authority to ban third-party tracking.

And experts think lawsuits like the one against Jefferson may be increasingly difficult to win after the Texas federal court ruling.

“There’s a lot of money to be made in the short-term,” said Cahn, whose New York-based organization, STOP, advocates for civil rights in online privacy. “Some people view these lawsuits as the cost of doing business.”

The future of cases like the one against Jefferson could depend on whether the incoming Trump administration attempts to uphold the HHS guidance or allows lower courts’ rulings to stand.