Facebook and Cancer Sites Face Lawsuits for Alleged HIPAA Violation

by | Apr 17, 2016

A legal case has been initiated in Federal Court in San Jose, California by cancer patients who claim they have had their privacy violated after visiting the websites of cancer institutes.

The plaintiffs allege that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing and advertising purposes. After visiting the websites, the plaintiffs believe they have been served display advertisements relating to very specific types of cancer. It is claimed that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific unique pages that were visited.

Lead plaintiff in the case, Winston Smith, claims to have viewed cancer.org, a website of the American Cancer Society. Smith searched on the site for information on lung cancer and claims those specific searches, and information about the webpages he viewed, were provided to Facebook which used the information to serve him targeted adverts. Smith allege that Facebook’s privacy policy does not specifically state that highly sensitive medical information is used for marketing purposes.

The lawsuit claims the practice is a breach of the Health Insurance Portability and Accountability Act (HIPAA), as well the Federal Wiretap Act and state privacy laws.

Facebook is not a HIPAA covered body of course, so is not bound to adhere to HIPAA Rules; however, some of the websites in question are owned and managed by healthcare organizations that are covered under HIPAA Rules. It is alleged that some HIPAA-covered bodies have not explicitly stated that there is a Facebook plugin on the site and that the plugin is used to transmit personal medical information.

The legal action initiated names Facebook, Adventists Health System, the American Cancer Society, the American Society of Oncology, BJC Healthcare, the Cleveland Clinic, the Melanoma Research Foundation, and University of Texas MD Anderson Cancer Center, according to the Courthouse News Service.

Smith says the bodies named in the law suit should have disclosed their relationship with Facebook and that medical information entered on the websites would be shared. He says that some websites, that also have a partnership with Facebook like the Mayo Clinic and John Hopkins Medicine, do not track user activity on their sites not pass medical data to Facebook.

Smith is looking for class certification, restitution, damages and a permanent injunction to stop the defendants from collecting data, tracking site users, and from releasing private health data to Facebook.

Some of the institutions listed in the lawsuit have said the case has no standing, while others, such as University of Texas MD Anderson Cancer Center, said data was not knowingly or intentionally recorded or transmitted.

Facebook has claimed that the basis of the case is not valid, and a spokesperson for the social media giant told the media outlet the International Business Times “Our policies state clearly that companies’ websites are prohibited from sharing health and other sensitive information with Facebook when using our advertising services.”

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.


Please enable JavaScript in your browser to complete this form.

Patrick Kennedy

Patrick Kennedy is a highly accomplished journalist and editor with nearly two decades of experience in the field. With expertise in writing and editing content, Patrick has made significant contributions to various publications and organizations. Over the course of his career, Patrick has successfully managed teams of writers, overseeing the production of high-quality content and ensuring its adherence to professional standards. His exceptional leadership skills, combined with his deep understanding of journalistic principles, have allowed him to create cohesive and engaging narratives that resonate with readers. A notable area of specialization for Patrick lies in compliance, particularly in relation to HIPAA (Health Insurance Portability and Accountability Act). He has authored numerous articles delving into the complexities of compliance and its implications for various industries. Patrick's comprehensive understanding of HIPAA regulations has positioned him as a go-to expert, sought after for his insights and expertise in this field. Patrick's bachelors degree is from the University of Limerick and his master's degree in journalism is from Dublin City University. You can contact Patrick through his LinkedIn profile:

Raise the level of HIPAA Awareness in your organization with Learner-Friendly, Comprehensive and Affordable HIPAA Training.

Comprehensive HIPAA Training

Used in 1000+ Healthcare Organizations and 100+ Universities

    Full Course - Immediate Access

    Privacy Policy