in Newswire Published on October 31, 2022

Data Breach: WakeMed Shared Patient Portal Info with Facebook for Over Four Years, Class Action Claims

Matthiae v. WakeMed Health and Hospitals

Filed: October 28, 2022 ◆§ 5:22-cv-00433

WakeMed has unlawfully disclosed to Meta certain health and personal information entered by consumers into its website and patient portal, a lawsuit alleges.

Defendant(s)

WakeMed Health and Hospitals

Law(s)

State(s)

North Carolina

A proposed class action claims WakeMed Health and Hospitals has unlawfully disclosed to Meta Platforms certain health and personal information entered by consumers into WakeMed’s website and patient portal.

The 28-page lawsuit alleges that for at least four years, the 970-bed not-for-profit Raleigh, North Carolina-based healthcare system had a piece of software code, known as the Meta pixel, embedded on its website, WakeMed.org, and patient portal. The Meta pixel captured and transmitted to the social media giant certain information entered by patients, the complaint claims.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

Per the suit, WakeMed did not disclose this surreptitious data collection until earlier this month, leaving patients unaware for years that their private information had been disclosed to third-party Meta.

The case relays that in March 2018, WakeMed, the biggest healthcare system in Wake County, North Carolina, launched a campaign to connect patients with its MyChart patient portal, where users can access medical records, view test results, request subscription refills, fill out medical forms, check into appointments, and communicate with healthcare providers. Per the case, the campaign involved Facebook advertisements and the use of a Meta pixel, a tracking code that can be used by website operators to track how visitors use their sites and measure the effectiveness of advertising campaigns.

The suit relays that the pixel on WakeMed’s website and patient portal was configured to collect some of the information entered by patients, including their names and contact details; computer IP addresses; emergency contact information; check-in information, such as allergies and medications; appointment details; and, in some cases, Social Security numbers or financial information. According to the suit, a “host of sensitive, non-public information” that patients believed they were communicating only to their healthcare provider was passed on to Meta without their knowledge or consent.

The case alleges that WakeMed removed the pixel in June 2022 and began an investigation into the patient data that had been transmitted to Facebook. The healthcare system nevertheless waited until October 11 to send notice to patients whose data was disclosed, the suit says.

According to the filing, WakeMed failed to satisfy its duty as a healthcare provider to safeguard patients’ sensitive information from unauthorized disclosure.

“Defendant is responsible for allowing this Data Breach through its willful and knowing configuration and implementation of the tracking Pixel, its failure to implement and maintain reasonable safeguards to prevent the disclosure of Private Information, its unreasonable data policies, its failure to adequately train employees, and its failure to comply with industry-standard data security practices.”

The lawsuit looks to represent anyone WakeMed identified as among those who were impacted by the data breach, including anyone who was sent a notice of the data breach.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.

Case Spotlight