Facebook has been receiving private medical data thanks to the tracking tool Meta Pixel, which is installed on many hospital websites, according to a report published June 16 by The Markup, a nonprofit newsroom. The next day, a class-action lawsuit was filed against Facebook parent company Meta, alleging that the company violated health privacy rules.

An anonymous patient filed the case in the Northern District of California on behalf of “millions of other Americans whose medical privacy has been violated by Facebook’s Pixel tracking tool,” reports Fierce Healthcare.

Health information is protected under the federal Health Insurance Portability and Accountability Act (HIPAA). The lawsuit alleges that Facebook received the data without HIPPA authorization or patient consent.

For their report, Markup investigators looked at the websites of the top 100 American hospitals included in Newsweek’s “World’s Best Hospitals 2022.” As of June 15, they had found the tracker on 33 of the 100 hospitals.

According to the lawsuit, though, the plaintiff has identified “at least 664 hospital systems or medical provider web properties where Facebook has received patient data via the Facebook Pixel,” reports Fierce Healthcare.

As The Markup explains, Meta Pixel sends a packet of information to Facebook whenever a person clicks a button on the hospital website to set up an appointment. The data is connected to the IP address of the patient’s computer; that address can then be linked to the person or household. If a company installs the tracker on its website, Meta will send the company analytics for the ads it places on Facebook and Instagram. In some cases, Meta can link the Pixel data with Facebook accounts.

In seven health care systems, investigators found that the tracker was installed within password-protected areas of the web portals.

Information sent to Facebook included doctor’s appointments, prescriptions and medical conditions, such as Alzheimer’s or pregnancy termination.

“This is an extreme example of exactly how far the tentacles of Big Tech reach into what we think of as a protected data space,” Nicholson Price, a University of Michigan law professor who studies big data and health care, told The Markup. “I think this is creepy, problematic and potentially illegal,” he continued.

One of the hospitals told the Markup investigators it was “confident” that Facebook protocols ensured that protected health information wasn’t shared.

The Markup noted that several of the 33 hospitals with the trackers have removed them. The Markup added that it didn’t know how Facebook used the sensitive health data.