Class Action Says OverlakeHospital.org Visitors’ Private Data Secretly Handed to Facebook, Other Third Parties [UPDATE]

New to ClassAction.org? Read our Newswire Disclaimer

A proposed class action lawsuit claims Overlake Hospital Medical Center has secretly shared website visitors’ personal and medical data with third parties, including Meta (Facebook), without consent.

Want to stay in the loop on class actions that matter to you? Sign up for ClassAction.org’s free weekly newsletter here.

According to the 61-page lawsuit, Overlake’s website utilizes a Meta pixel and Facebook’s Conversions application programming interface (API), which are pieces of code that businesses can embed into their websites to enable the social media company to track users’ data and activity in real time as they interact with the pages. The suit explains that the tracking tools “act[] like a wiretap” and automatically and invisibly transmit user information back to Facebook, where it is used for targeted advertising.

The case contends that, by utilizing the Meta pixel and Conversions API, the Washington-based healthcare organization “surreptitiously” shares with Facebook every move its patients make on OverlakeHospital.org and its accompanying patient portal, including their search queries, buttons clicked, pages viewed, any content entered into the chat feature, IP addresses and more.

The complaint also alleges that Overlake uses additional tracking tools to disclose patients’ private information to other third parties, such as Google, which intercepts website visitors’ data through Google Tag Manager.

Per the filing, when a user visits OverlakeHospital.org—where patients can research conditions and treatments, input real-time symptoms and receive feedback, find a medical provider and access their patient accounts—the tracking tools capture and disclose to third parties the visitor’s private health data, including their provider details, medical concerns and treatments sought.

The Facebook tracking codes also intercept and disclose a user’s Facebook ID—a unique identifier that can be used to pinpoint an individual’s social media profile, the lawsuit relays. By sharing a visitor’s Facebook ID, Overlake supplies enough data to link a patient’s identity to their online communications and activity, the suit explains.

As the case tells it, Overlake’s conduct has violated its own privacy policy as well as its duties under the Health Insurance Portability and Accountability Act (HIPAA).

The plaintiff, an Overlake patient residing in Washington, says she has accessed the defendant’s website many times to schedule appointments, chat with healthcare providers and review medical and billing records. While doing so, the woman had her confidential information unlawfully captured and shared with third parties without her knowledge or consent, the filing claims.

The lawsuit looks to represent anyone in the United States whose private information was disclosed to a third party without authorization or consent as a result of using OverlakeHospital.org.

Get class action lawsuit news sent to your inbox – sign up for ClassAction.org’s free weekly newsletter here.