A recent investigation by Markup revealed that healthcare entities may be impermissibly sharing protected health information (“PHI”) in violation of the Health Insurance Portability and Accountability Act (“HIPAA”) and various state data privacy statutes. The HIPAA Privacy Rule requires that covered entities that create, receive, maintain, and/or transmit PHI take specific measures to protect that information and only share it with third parties under specific circumstances. These entities are now facing significant regulatory and legal consequences.
Markup analyzed the websites of 100 of the top hospitals in the United States and found that a number of the websites contained a tracker (or web beacon) called Meta Pixel. Web beacons are 1-pixel by 1-pixel graphic images placed on a website to measure the effectiveness of online advertising and user interactions with that website.1 Meta Pixel, like other trackers, can measure and collect information about certain actions taken by a visitor. Meta Pixel is unique in that the information is shared with Meta (f/k/a Facebook) and can be linked with Meta and Instagram profiles to generate highly targeted ads. In response to the Markup report, several healthcare entities removed Meta Pixel and other trackers from their websites and patient portals. The steps taken by these entities are important but the damage may already be done.
According to several recently filed class action lawsuits, it is alleged that Meta Pixel impermissibly collected and received PHI including IP addresses, patient search terms, appointment information, medications, and physician names without the patient’s consent. Notably, it is alleged that Meta Pixel captured information within the password protected patient portals as well as on the main website accessible to the public.
Meta Pixel has been cited as the basis for data breach notifications impacting nearly 5 million patients and prompted the filing of at least nine (9) class action lawsuits.2 The class action lawsuits allege violations of various state and federal privacy laws including the Electronic Communications Privacy Act; the Pennsylvania Wiretap Act; the federal Wiretap Act; the California Invasion of Privacy Act; and Illinois Personal Information Protection Act. Further, the suits allege that the healthcare entities who utilized Meta Pixel on their websites failed to receive express consent from the impacted individuals and failed to have valid contracts in place (business associate agreements) that would permit the sharing of PHI under HIPAA.
In addition to being named as a defendant in the class action lawsuits and facing potential regulatory actions, Meta has also received an inquiry from Sen. Mark Warner (D-VA) expressing his concern about Meta Pixel and the sensitive protected information it may collect.3
The privacy issues surrounding web beacons and Meta Pixel are not limited to healthcare entities and HIPAA. Bloomberg Law reports that since February 2022, over 45 proposed class actions have been filed alleging that Meta Pixel tracked individual’s personal video consumption data in violation of the federal Video Privacy Protection Act (“VPPA”).4 Enacted in 1988, the VPPA requires that video tape service providers obtain informed and written consent before disclosing an individual’s video viewing information to a third party. The VPPA provides for a private right of action which permits an individual to bring a civil action seeking damages including statutory damages of not less than $2,500 per individual.5
It is too early to speculate what the ultimate fallout of the Meta Pixel litigation and regulatory actions will be. However, it’s worth noting that a similar class action lawsuit involving a healthcare entity’s usage of third-party analytics tools, cookies, and tracking pixels recently resulted in a $18 million settlement.6
The facts surrounding the use of trackers will have a significant impact on the availability of coverage. A web beacon or pixel that discloses PHI / PII to a third-party absent users’ consent or a valid contract, as long as that compromise is considered a data breach or privacy incident may implicate coverage for data incident responses expenses. Data incident response expenses include coverage for breach counsel to advise as to whether an incident triggers statutory or regulatory obligations to notify affected individuals or regulators. If it is determined that notification is warranted, then further data incident response coverages including notification and public relation expenses may also be triggered.
Additionally, any subsequent litigation or regulatory action that arises from the data breach notification may trigger coverage under a policy’s third-party privacy liability and regulatory proceeding insuring agreements.
Alternatively, allegations that PHI / PII was disclosed or shared in violation of an entity’s privacy policy may be sufficient to constitute a privacy liability wrongful act even in the absence of a suspected data breach.
We recommend that clients review their website’s configuration and identify any trackers / web beacons / pixels. Clients should confirm that any data being collected is done in compliance with applicable data privacy laws and with the knowledge and consent of the user. Any data that is collected, used, or disclosed should be limited to the minimum information necessary to accomplish its purpose and not be used or disclosed beyond what is legally permissible. Clients should review their contracts with any third-party vendors or business associates to ensure that reasonable measures are taken to secure any data that is collected, transmitted, or stored on their behalf.
Lastly, clients are advised to work with their broker to review their cyber insurance policy and discuss potential coverage options, including regulatory fines and penalties coverage and wrongful collection coverage.
As a global leader in human capital solutions, risk advisory and broking services, we are well prepared to assess your cyber vulnerabilities, protect you through best-in-class solutions and radically improve your ability to successfully recover from future attacks.
Willis Towers Watson hopes you found the general information provided in this publication informative and helpful. The information contained herein is not intended to constitute legal or other professional advice and should not be relied upon in lieu of consultation with your own legal advisors. In the event you would like more information regarding your insurance coverage, please do not hesitate to reach out to us. In North America, Willis Towers Watson offers insurance products through licensed entities, including Willis Towers Watson Northeast, Inc. (in the United States) and Willis Canada Inc. (in Canada).
1 Web Beacon
2 Nine Suits Over Meta’s Online Tracking Related In California Federal Court
3 Senator Questions Zuckerberg About Facebook’s Collection of “Sensitive Health Information"
4 Meta Pixel’s Video Tracking Spurs Wave of Data Privacy Suits
5 HIPAA does not contain a private right of action.
6 Doe v. Partners Healthcare System, Inc., Case No. 1984CV01651-BLS1 (Superior Court of Mass., Suffolk Co.)
