Governance & Risk Management , Healthcare , Industry Specific
Lawsuit: Cedars-Sinai Sharing Patient Data From WebsitesLatest Class Action Suit Asserts Privacy Violations From Website Tracking Code
Cedars-Sinai Medical Center in Los Angeles has joined a growing list of organizations being sued for allegations that its use of website tracking codes is unlawfully sharing individuals' personal and health information with third-party social media and marketing companies.
See Also: Webinar | How the SASE Architecture Enables Remote Work
The proposed class action lawsuit against Cedars-Sinai was first filed on Dec. 30, 2022, in a California state court, but it was removed on Friday to the U.S. District Court for Central California in Los Angeles. The suit alleges a list of claims, including negligence, breach of contract and violations of several California privacy and business laws related to the healthcare entity's use of tracking code on its websites, patient portal and mobile apps.
The case is among several other proposed class action lawsuits filed in recent days and weeks in federal courts by plaintiffs alleging their privacy was violated through the use of tracking codes in health-related websites and patient portals that transmit sensitive health information to technology and social media firms such as Meta, Google and other third-party marketing and advertising firms.
Other similar litigation includes a proposed class action lawsuit filed against telehealth and discount prescription drug provider GoodRx on Thursday in a San Francisco federal court, which also named three of the company's third-party technology and advertising vendors - Meta, Google and Criteo - as co-defendants (see: Lawsuit Alleges GoodRx Unlawfully Shared Health Data).
Also, the Federal Trade Commission on Feb. 1 announced a $1.5 million civil penalty against GoodRx, saying the company for years shared sensitive personal health information with third-party companies contrary to its privacy promises (see: FTC Hits Firm With $1.5M Fine in Health Data-Sharing Case).
Meta - parent company of social media giant Facebook - is also a defendant in several proposed class action lawsuits in a San Francisco federal court involving the use of the company's Pixel tracking code on other healthcare-related websites (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).
Also, in recent months, at least four healthcare entities reported major health data breaches to the Department of Health and Human Services' Office for Civil Rights involving their previous use of tracking code from companies including Meta and Google (see: Clinic Reports Tracking Pixel Breach Involving 3rd Party).
HHS OCR issued guidance in December warning that entities covered by HIPAA cannot use the website tracking code if the trackers transmit protected health information without patient consent or if the entities don't have a signed business associate agreement with the technology tracking vendors.
In his lawsuit against private, nonprofit Cedars-Sinai, John Doe - a resident of California who has used the healthcare organization's website and patient portal - claims his personal and medical information was "wrongfully" shared with third parties including Meta, Google and Microsoft Bing through Cedars-Sinai's use of embedded tracking codes in those websites.
Information allegedly shared with the third parties includes the types of medical treatment a patient sought; name, gender, language and specialty of the physicians patients specified when seeking treatment; searches related to COVID-19 information and treatment; whether a patient clicked to schedule an appointment; and IP addresses of users.
The lawsuit alleges that while the plaintiff does not know the exact number of class members, Cedars-Sinai says it sees over 1 million patients per year and therefore, "a significant proportion of those patients" use Cedars-Sinai's website.
Cedars-Sinai declined Information Security Media Group's request for comment on the lawsuit.
In a notice of removal to have the John Doe lawsuit moved from a California state superior court to federal court, Cedars-Sinai attorneys claim that the healthcare entity is acting "under a federal officer" in its long participation in HHS' HITECH Act Meaningful Use program by creating patient portals to access electronic health records.
"Plaintiff's complaint directly challenges Cedars-Sinai's website analytics practices, which promote 'meaningful use' by helping to drive patients to the Cedars-Sinai website and to its patient portal," Cedars-Sinai's attorneys say in court documents.
"The government has specified how to best enhance patient engagement, including through a patient portal. … the entire point of using the third-party services is to direct traffic to, and increase engagement with, Cedars-Sinai's website," the attorneys write.
Cedars-Sinai's attorneys also argue that the federal government itself uses trackers on its own health-related websites.
"The plaintiff's complaint generally targets Cedars-Sinai's alleged tracking of online behaviors through source code and cookies, along with the use of marketing companies in conjunction with its public medical website. The Meaningful Use program envisions these activities, as manifested by the federal government's own use of these codes and third parties for its Medicare website."
HHS did not immediately respond to ISMG's request for comment on whether HHS uses tracking code or cookies or shares consumer data collected on its websites with third parties.