CINCINNATI — A lawsuit filed Jan. 10 accuses Christ Hospital of communicating patient information to third-parties like Meta — which owns Facebook — through code embedded in their website.
Christ Hospital's website contains a search engine patients are encouraged to utilize that allows people to search physicians in the Christ Hospital network, including those specialized in treating specific ailments. The site also allows patients to schedule appointments online.
The lawsuit alleges Christ Hospital "secretly deployed" a Meta Pixel, a piece of JavaScript code which allows users to track visitor activity on a website, to collect patient information and, subsequently, disseminate the information to Meta and other third party companies for targeted advertisements.
According to the Facebook Developer site, Meta Pixels can be used to "define custom audiences for ad targeting" among other things.
That line of code tracked and disseminated patients' activity on the Christ Hospital website, including search histories for physicians, a patient's IP address and the types of illness or injury for which they were seeking treatment without informing the patient, the lawsuit says.
The suit said this makes sensitive patient information available to Meta and other third parties for targeted advertisements. Patients who searched for treatment options for cancers, psychiatric disorders or sexually transmitted diseases, for example, would have their search data harvested by Meta for these ads, compromising confidential information, according to the lawsuit.
From the connection to Meta, the harvested data "can and likely will" be further disseminated to third parties for retargeted ads, to insurance companies seeking patient information for profit or "to criminals on the dark web for use in fraud and cyber crimes," says the lawsuit.
It also alleges patient information through MyChart, a program used by hospitals to communicate test results, medical history and communications between patients and physicians, could have been compromised through the Meta Pixel.
Even just the dissemination of patient IP addresses is a violation of the Health Insurance Portability and Accountability Act (HIPAA), because IP addresses can be used to identify individuals and HIPAA defines "personally identifiable information" to include "any unique identifying number, characteristic or code," specifically listing an example of IP addresses, according to the lawsuit.
The plaintiff in the lawsuit has remained anonymous, identified only as Jane Doe, but the lawsuit seeks to represent any Christ Hospital patient who believes their personal information could have been compromised by the use of their site.
The lawsuit was originally filed in Hamilton County but has since been elevated to a federal court. Doe and the other plaintiffs are requesting Christ Hospital face a jury trial and pay damages of over $25,000, to be determined at trial.
The lawsuit also requests Christ Hospital face punitive charges, if allowed.
In response to the allegations leveled in the lawsuit, a Christ Hospital spokesperson issued a written statement:
"At the Christ Hospital Health Network, protecting our patient's privacy is a top priority. The Christ Hospital Health Network does not sell patient information to Facebook or anyone. We are investigating the claim but due to pending litigation, we cannot make any further comment at this time."
You can read the lawsuit in full below:
Doe v. Christ Health Lawsuit by WCPO 9 News on Scribd
Watch Live:
WCPO 9 News Headlines