Lawsuit claims University of Iowa Hospitals shared patient information with Facebook

The University of Iowa Hospitals & Clinics is facing a potential class action lawsuit over the alleged disclosure of confidential patient information to Facebook. (Hospital photo courtesy UIHC; Facebook logo courtesy of Facebook)

The University of Iowa Hospitals & Clinics is facing a potential class action lawsuit over the alleged disclosure of confidential patient information to Facebook.

Eileen Yeisley, on behalf of herself and others, is suing UIHC in U.S. District Court for the Southern District of Iowa for the alleged “intentional, reckless, and/or negligent disclosure” of confidential medical information to the social-media giant Facebook.

The lawsuit alleges that UIHC manages or controls two websites that it encourages individuals to use for booking medical appointments, locating physicians and treatment facilities, communicating medical symptoms, procuring information on medical conditions and treatment options, and signing up for events and classes.

According to the lawsuit, UIHC installed on those websites a Facebook “pixel” that is essentially a piece of computer code that tracks the online activity of people as they interact with those particular websites. The information that is transmitted to UIHC via the pixel is allegedly shared with Facebook and linked to that individuals’ personal Facebook account.

UIHC is also accused of installing a Facebook conversion application programming interface – also called a conversion API – on its sites. That conversion API allegedly enables additional unauthorized disclosures of patient information and is used separately from the pixel “because no privacy protections on the user’s end can defeat it.”

Specifically, the lawsuit claims, information that actual and potential patients communicate to UIHC through its websites is being automatically, surreptitiously and unlawfully sent to Facebook’s servers alongside each individual’s unique Facebook user ID. Facebook, in turn, has allegedly sold that information to third-party marketers who can then target the individuals’ Facebook pages with ads tailored to their medical issues.

While the Facebook user ID is merely a string of numbers that doesn’t personally identify an individual, the number does connect to an individual’s Facebook profile, allowing virtually anyone with access to the number to identify the person and see their profile.

The lawsuit claims UIHC utilizes the pixel and conversion API for marketing purposes in an effort to bolster its profits.

UIHC is ‘handing individuals a tapped phone’

The information the pixel and conversion API allegedly send to Facebook includes the types of medical treatment sought, specific health conditions, and the fact that an individual booked a medical appointment. That sort of disclosure has enabled Facebook to ascertain that a specific individual has sought medical care for a specific “type of medical condition such as cancer, pregnancy, dementia, or HIV,” the lawsuit claims.

The pixel that UIHC has allegedly installed on its websites acts much like a traditional wiretap, the lawsuit alleges. In essence, UIHC is “handing individuals a tapped phone,” and once a UIHC webpage is loaded onto their browser, the software intercepts any communications from the user and relays it to Facebook.

Facebook, the lawsuit claims, is given the individuals’ IP addresses and other information they may have input into the hospital’s websites, such as their home address or phone number. “This is precisely the type of information the Health Information Portability and Accountability Act requires healthcare providers to anonymize to protect the privacy of patients,” the lawsuit alleges.

Yeisley, a UIHC patient since the early 1989s, alleges she has routinely accessed UIHC’s websites on her mobile device and computer, and has been a Facebook user since 2009. According to the lawsuit, she has allegedly used the UIHC sites to search for a physician, communicate private information to her physician, complete web-based patient forms and review medical records. Shortly thereafter, her information was allegedly relayed from UIHC to Facebook.

The lawsuit alleges that while UIHC willfully and intentionally incorporated the software into its website, it never publicly disclosed its sharing of sensitive and confidential communications with Facebook. The lawsuit seeks unspecified damages for invasion of privacy; unjust enrichment; breach of an implied contract and violations of the Electronics Communication Privacy Act; violations of the Computer Fraud and Abuse Act; and breach of confidence.

The lawsuit also seeks a court order certifying national and Iowa class-action status, and injunctive relief to protect the interests of the plaintiff and proposed class members.

UIHC has yet to file a response to the lawsuit. A hospital spokesperson had no immediate comment on the allegations.

Facebook operates the world’s largest social media company and reportedly generated $117 billion in revenue in 2021, roughly 97% of which was derived from the sale of advertising.

In 2012, UIHC came under fire for sharing patient information with fundraisers as part of what it called the Grateful Patient Program. That program involved a contractual arrangement between the university and the private University of Iowa Foundation that helped raise money for the hospital.

Their contract stipulated that the university and the foundation were to collaborate on donor-prospect research that would include what they called “wealth screenings of patients.”

As a result of that collaboration, the foundation solicited eye-care patients using letters signed by the head of the ophthalmology department. The department head was later informed by the foundation which of his patients had responded with a donation, and when those patients came to UIHC for treatment, they received a thank-you from the doctor.