The supermarket chain, Kroger, is being sued over the alleged unlawful practice of using tracking technologies on its website to collect the sensitive data of its customers and impermissibly disclosing that information to third parties such as Meta Platforms. The lawsuit was filed in the U.S. District Court of the Southern District of Ohio, Western Division, on behalf of the anonymous plaintiff, Jane Doe, and other similarly situated individuals whose privacy was violated. The lawsuit alleges that patients of the Kroger pharmacy were not made aware that their personal information was being collected and disclosed to third parties. According to the lawsuit, “[The website Kroger.com] surreptitiously manipulated their web browsers, thereby causing their communications with the Defendant via the Website to be shared and/or intercepted by unauthorized third parties.”

Individuals who used the Kroger.com website to submit prescriptions disclosed confidential health information on the site such as the names of their prescription medications, the dosage and form of the medications, and more. From that information, third parties were able to determine, in many cases, the specific type of medical condition they had been diagnosed with, including cancer, HIV, mental health conditions, and pregnancy. Since Meta’s Pixel tracking code connects user data to the user’s individual Facebook ID, the information transmitted to Meta is not anonymous and can be linked to other sensitive information in the user’s Facebook account.

The lawsuit explains that Kroger, as the operator of a pharmacy, is an entity covered and bound by the Rules of the Health Insurance Portability and Accountability Act (HIPAA) and, as such, is not permitted to disclose patient information to third parties without first obtaining consent, unless there is a legitimate reason for doing so and the disclosure is permitted by the HIPAA Privacy Rule. The HHS’ Office for Civil Rights (OCR) confirmed in December 2022 guidance that disclosures of protected health information via tracking technologies on websites and apps are not permitted unless there is a business associate agreement in place or patient authorizations have been obtained. Kroger had neither. While the lawsuit alleged the actions of Kroger violated HIPAA , there is no private cause of action in HIPAA so HIPAA-covered entities cannot be sued for HIPAA violations. The lawsuit alleges there have also been violations of Ohio state law, which expressly prohibits the disclosure of private information without express written consent, and state residents are permitted to sue under Ohio law for violations.

The lawsuit, Jane Doe v. The Kroger Co., alleges a violation of the Electronic Communications Privacy Act, breach of confidence, invasion of privacy/intrusion upon seclusion, breach of implied contract, unjust enrichment, negligence, breach of fiduciary duty, and interception and disclosure of electronic communications. These alleged violations have led to the plaintiff and class members sustaining injuries, including invasion of privacy, loss of benefit of the bargain, diminution of the value of their private information, statutory damages, and the continued and ongoing risk to their private information. The lawsuit seeks class action certification, a jury trial, damages, attorneys’ fees, legal costs, and an order from the courts preventing Kroger from engaging in further unlawful practices.

The attorneys for the plaintiff and class members are Terence R. Coates, Dylan J. Gould, and Spencer D. Campbell of the law firm Markovits, Stock & DeMarco, LLC, and Gary M. Klinger of Milberg Coleman Bryson Phillips Grossman PLLC.

This is one of the latest of many lawsuits that have been filed against healthcare organizations and Meta over the use of tracking technologies. Legal action has also been taken against OCR over its tracking technology guidance, which the lawsuit claims is unlawful.

The post Kroger Sued for Disclosing Pharmacy Patient Data via Meta Pixel Tool appeared first on HIPAA Journal.