Lawsuit Claims HealthPartners Illegally Disclosed PII, PHI to Meta

  • Home
  • news
  • Lawsuit Claims HealthPartners Illegally Disclosed PII, PHI to Meta
February 28, 2023

by Brian Eckert

Group Health Plan, Inc., doing business as HealthPartners, secretly disclosed patients’ personally identifiable information (PII) and protected health information (PHI) to Meta Platforms, Inc. and other third parties, claims a Milberg class action lawsuit.

The lawsuit seeks to establish a national class and a Minnesota class and recover damages that include monetary compensation. Anyone who meets the class criteria may be automatically eligible to join.

About HealthPartners

HealthPartners is a nonprofit healthcare organization that serves nearly 2 million medical and dental health plan members nationwide. The company operates a care system with more than 1,800 doctors and 1.2 million patients. It also owns and controls two websites.

  • The HealthPartners website offers services related to the company’s medical care plans, hospitals, and clinics. On the site, members can find medical care providers, view coverage and claims information, pay bills, and access wellness tips.
  • Virtuwell is as a “24/7 online clinic” developed by HealthPartners that lets patients meet virtually with a provider and receive treatment plans for many medical conditions.

HealthPartners, Facebook, the Pixel, and Conversions API

According to Milberg’s class action complaint, HealthPartners used tracking technology on its websites to share patient PII and PHI with Meta’s Facebook. This was allegedly done without patients’ knowledge or consent in order to generate profits for HealthPartners.

The two tracking technologies at issue in the lawsuit are the Facebook Pixel and the Facebook Conversions Application Program Interface (Conversions API).

  • A pixel is a code snippet that tracks website users and the actions they take on a particular site, such as the buttons they click, the pages they view, and the text they type. Websites that employ the tracking code execute it on a user’s web browser. The Facebook Pixel, when installed on a website, shares a user’s Facebook ID and allows their website activity to be tracked and transmitted to Facebook.
  • Conversions API works similarly to the Facebook Pixel, allowing businesses to send users’ web activity to Facebook. One major difference between the two technologies is that Conversions API is executed by the business employing Conversions API (i.e., on the server side), while Pixel is executed on the user side, by their browser (client-side tracking). Server-side tracking therefore cannot be defeated by new browser tools that block client-side tracking.

Privacy-enhanced browsers have made pixels less effective and led to adoption of Conversion APIs. Facebook has encouraged this. However, Conversion APIs have not entirely replaced pixels. The two are typically used in tandem to maximize data capture.

Lawsuit Allegations

Website owners like HealthPartners transmit website user data to Facebook, which in turn sells the data to third party marketers. These marketers then place targeted advertisements on users’ Facebook pages based on their website activity.

The websites that transmit user data to Facebook benefit from this arrangement because, in exchange for the data they send to Meta, Meta provides website owners with analytics about their Facebook ads, as well as tools to more cost-effecively target website visitors.

Thus, website owners have a financial incentive to employ the Facebook Pixel and Conversions API. HealthPartners is specifically accused of engaging in retargeting, a type of online marketing that targets users with ads based on their previous internet communications and interactions.

Defendant regularly encourages Plaintiff and Class Members to use its digital tools, including its Website, to receive healthcare services. Plaintiff and Class Members provided their Private Information through Defendant’s Website with the reasonable understanding that Defendant would secure and maintain any PII and PHI as confidential.

According to Milberg’s lawsuit, HealthPartners shared with Facebook user data that included:

  • The type of medical treatment sought
  • A patient’s particular health condition
  • Efforts to book a medical appointment

Such information, the lawsuit maintains, is private and was shared with Meta and other third parties without patients’ knowledge or consent. These disclosures violated HIPAA standards, medical industry standards, HealthPartners’ privacy policies, and patients’ reasonable expectation of privacy.

Lead Plaintiff and Proposed Classes

The lead plaintiff, a resident of Minnesota and HealthPartners customer, says that she believed her online communications with the company were private and confidential. She never consented to the use of her private information by third parties, or the transmission of her data to third parties.

On behalf of herself and similarly situated individuals, the plaintiff has petitioned the court to certify this class action with the following classes:

  • A National Class consisting of all individuals residing in the United States whose private information was disclosed to a third party without authorization or consent as a result of using Defendant’s websites.
  • A Minnesota subclass comprised of all individuals residing in Minnesota whose private information was disclosed to a third party without authorization or consent as a result of using Defendant’s websites.

Milberg: A National Leader in Class Action Litigation

If you have ever visited the HealthPartners website or Virtuwell, your personal information may have been shared without your knowledge, making you eligible to join this class action lawsuit.

You do not have to hire a lawyer. Milberg is representing all class members on a contingency-fee basis. Since 1965, Milberg has pioneered class action lawsuits, prompted meaningful corporate reforms, and recovered more than $50 billion for our clients.