23 May 2024
Northern Light Health shared people’s personal medical information with Facebook, a lawsuit filed last week alleges.
The Northern Light system had code-based tracking pixels embedded in its websites, which then transmitted information to Facebook-owner Meta, Google and other third parties, according to a lawsuit filed May 15 in Penobscot County Superior Court.
The anonymous plaintiff, named Jane Doe in the suit against the health care system, lives in Windham and has been a Northern Light patient since 2013. Her lawsuit asks for class action, meaning additional people with similar complaints can join the legal proceedings.
Northern Light did not respond to a request for comment.
The 66-page lawsuit alleges Northern Light was negligent, violated Maine’s Unfair Trade Practices Act, breached an implied contract to keep data reasonably secure, unfairly made money from “valuable sensitive medical information,” violated people’s rights to privacy under Maine law and more.
The lawsuit seeks an unspecified amount of compensatory and punitive damages, as well as three years of paid credit monitoring from Northern Light. It also asks for Northern Light to be forced to create a fund for all members of the class actions, with the money coming from the “unlawful or inequitable proceeds” of the data tracking.
A user’s IP address, pages viewed, search terms, button clicks and form submissions were tracked by the Meta Pixel installed on Northern Light’s website, the lawsuit said. It also linked a user’s interactions on the website to their Facebook profile, meaning their health information was linked.
Through that data, it can be inferred that a specific patient was treated for a specific condition, such as cancer, dementia or HIV, the lawsuit said.
It “effectively planted a bug” on the website, causing the disclosure of private health information and personally identifying information, according to the lawsuit. The lawsuit said the pixel was likely installed in the patient portal, as it was present on the log-in screen, but Northern Light could have configured the pixel in a different way so it did not gather information once someone logged into the patient portal.
The tracking pixel was installed as early as October 2018 and was in use as of at least October 2023, the lawsuit said.
Doe first learned her information was disclosed in October 2023, the lawsuit said. She started receiving health related ads that connected to her private medical treatment, including ads related to inhalers and depression.
Northern Light disclosed Doe’s identity by providing her IP address, pages she viewed, status as patient, search terms, medical treatment services and activity on patient portal through the tracking pixel, the lawsuit said.
The suit claims the practice violates Northern Light’s privacy policies. The health care system promises the “right to security, personal privacy and confidentiality of information” but then transfers personal identifying information to third parties, according to the lawsuit.