Fraud Management & Cybercrime , Governance & Risk Management , HIPAA/HITECH

Lawsuits Accuse LinkedIn of Tracking Users' Health Info

Class Action Suits Target Tools Used to Track Medical Appointments on Websites
Lawsuits Accuse LinkedIn of Tracking Users' Health Info
LinkedIn is facing several proposed class action lawsuits alleging that the use of its online tracking tools on healthcare related websites are "intercepting" users' sensitive medical information. (Image: Wikipedia)

LinkedIn is facing several proposed class action lawsuits filed in recent weeks in California alleging that the company is "intercepting" users' sensitive information related to appointments booked on medical websites through the use of embedded web tracking tools for marketing and advertising purposes.

See Also: Using the Netskope HIPAA Mapping Guide

As of Tuesday, at least three such lawsuits have been filed in recent weeks against Sunnyvale, California-based LinkedIn - one in a California superior court in late September and two complaints filed in the U.S. district court in Northern California last week.

Each of the lawsuits - which are all being handled by the same law firm, Bursor & Fisher - make similar allegations including wire-tapping claims under the California Invasion of Privacy Act.

The lawsuits were filed by plaintiffs and similarly situated individuals who made medical appointments on one of three healthcare related websites - Spring Fertility Holdings, a fertility clinic that operates in several states; Therapymatch, a mental health therapy website that does business as Headway; and Village Practice Management Co., an urgent healthcare provider known as CityMD.

The complaints allege that LinkedIn, through the use of its web tracking software, LinkedIn Insight Tag, on the various medical care services providers' websites, "knew that it intercepted users’ interactions."

Meta and Spring Fertility are also named co-defendants in the lawsuit against LinkedIn.

"Spring Fertility aided, employed, agreed and conspired with social media websites Facebook and LinkedIn to intercept sensitive and confidential personal and medical communications sent by patients seeking to book services with Spring Fertility through its website," that lawsuit complaint alleges.

"This was a serious invasion of privacy divulging deeply personal aspects of an individual's life. The interception of communications and booking information was particularly egregious because it included highly sensitive details such as the specific type of fertility treatment sought and the patient’s sexual orientation, all without the patients’ knowledge or consent," the lawsuit alleges.

Each of the three lawsuits seeks financial damages and injunctive relief "the court may deem proper."

LinkedIn in a statement to Information Security Media Group said, "we will show that our advertising tools safeguard member privacy and that these claims lack merit."

Meta and Spring Fertility did not immediately respond to ISMG's request for comment on the lawsuits. The law firm representing the plaintiffs in each of the three cases also did not immediately respond to ISMG's request for comment.

Meta also separately faces an ongoing consolidated class action lawsuit in a Northern California federal court that also allege a variety of privacy-related issues involving the use of its Pixel web tracker software in healthcare related websites (see: Judge Gives Green Light to Meta Pixel Web Tracker Lawsuit).

Besides civil lawsuits, federal agencies, including the U.S. Department of Health and Human Services and the Federal Trade Commission have been respectively warning organizations of potential HIPAA and FTC Act violations involving online trackers on health-related websites. The FTC has already taken enforcement actions in a handful of such cases (see: FTC Bans Online Mental Health Firm from Sharing Certain Data).

Last week, in a separate privacy matter, regulators in Ireland fined LinkedIn a 310 million euro penalty for violating the General Data Protection Regulation in a case also involving from the social media company's use of customer data (see: LinkedIn Fined 310 Million Euros for Privacy Violations).

Avoiding Controversy

The use of online tracking codes on healthcare-related websites are often a hot button privacy issue, some experts said.

"There have been pervasive issues with social media pixels and trackers on medical sites," said Ian Cohen, CEO of Lokker, a provider of online data privacy and compliance solutions.

"There are several issues causing most of these problems, but the best advice is this: Don’t place social media pixels on healthcare pages, at least not ones collecting information through a form, or because the page title is so obvious that it clearly conveys the user’s condition or symptom," he said.

He said companies potentially misusing web tracking technologies often run into several issues, including failing to get explicit consent. "It is difficult to get most consent managers working perfectly, and even more difficult to keep them up to date because so much changes dynamically in ad tech. To mitigate this, companies need to use software to automatically detect changes in new tags and scripts being served," he said.

Also the breadth and size of social media companies create potential risks. "Their reach is so large that an anonymous ID can often be re-identified back to a user’s account," he said.

"For example, the Meta pixel often includes a unique ID that is unique to the specific user who visited the site, and if they have logged into Facebook recently, this ID can often be tied back to that user’s homepage on Facebook. To avoid this, make sure you either don’t use the pixel or use with privacy sandbox and make sure to get explicit consent," he suggested.

Even then, the complexity of pixels, cookies and iframes also can add risk. "You might not serve Facebook cookies, for example, but if you have the Meta pixel, and a user comes to your site after logging into Facebook, it will likely drop a number of cookies that now have access to the user’s session, along with a cookie called 'c-user' that has their unique ID in it," he said.

"To fix this, you need to either remove the pixel or check your website’s consent weekly for missing or uncategorized trackers and cookies," Cohen suggests.

"Healthcare providers really need to avoid using these pixels whenever possible. It’s difficult for some providers if they specialize in a very specific area, but if possible, don’t use them."


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing careersinfosecurity.asia, you agree to our use of cookies.