A legal case has been initiated in Federal Court in San Jose, California by cancer patients who claim they have had their privacy violated after visiting the websites of cancer institutes.
The plaintiffs allege that the websites of some cancer institutes contain secret code that captures data and passes the information to Facebook for marketing and advertising purposes. After visiting the websites, the plaintiffs believe they have been served display advertisements relating to very specific types of cancer. It is claimed that in order for those advertisements to be served, Facebook must have been provided with site search data and the specific unique pages that were visited.
Lead plaintiff in the case, Winston Smith, claims to have viewed cancer.org, a website of the American Cancer Society. Smith searched on the site for information on lung cancer and claims those specific searches, and information about the webpages he viewed, were provided to Facebook which used the information to serve him targeted adverts. Smith allege that Facebook’s privacy policy does not specifically state that highly sensitive medical information is used for marketing purposes.
The lawsuit claims the practice is a breach of the Health Insurance Portability and Accountability Act (HIPAA), as well the Federal Wiretap Act and state privacy laws.
Facebook is not a HIPAA covered body of course, so is not bound to adhere to HIPAA Rules; however, some of the websites in question are owned and managed by healthcare organizations that are covered under HIPAA Rules. It is alleged that some HIPAA-covered bodies have not explicitly stated that there is a Facebook plugin on the site and that the plugin is used to transmit personal medical information.
The legal action initiated names Facebook, Adventists Health System, the American Cancer Society, the American Society of Oncology, BJC Healthcare, the Cleveland Clinic, the Melanoma Research Foundation, and University of Texas MD Anderson Cancer Center, according to the Courthouse News Service.
Smith says the bodies named in the law suit should have disclosed their relationship with Facebook and that medical information entered on the websites would be shared. He says that some websites, that also have a partnership with Facebook like the Mayo Clinic and John Hopkins Medicine, do not track user activity on their sites not pass medical data to Facebook.
Smith is looking for class certification, restitution, damages and a permanent injunction to stop the defendants from collecting data, tracking site users, and from releasing private health data to Facebook.
Some of the institutions listed in the lawsuit have said the case has no standing, while others, such as University of Texas MD Anderson Cancer Center, said data was not knowingly or intentionally recorded or transmitted.
Facebook has claimed that the basis of the case is not valid, and a spokesperson for the social media giant told the media outlet the International Business Times “Our policies state clearly that companies’ websites are prohibited from sharing health and other sensitive information with Facebook when using our advertising services.”