Orlando Health in Florida faced a lawsuit for using tracking tools on its website that disclosed the plaintiff’s information to third parties, but it pulled through the motion to dismiss. The plaintiff claimed that after using the Orlando Health website to search for information about her medical condition, she had seen targeted Facebook ads specific to her health disorders.
The plaintiff used the Orlando Health website to search about fatty liver disease, heart disease, and ileostomy. Later, her Facebook account was shown ads about heart failure treatments, ileostomy bags, and neurologist services at Orlando Health. The plaintiff is convinced the ads she saw were a result of her queries on the Orlando Health website, though the apps that permitted targeted ads were not seen. She said that the tracking tool gave the research information to third parties such as Meta and Google without her awareness or permission. Then, the data was used to promote products and services depending on the intercepted information.
Many websites have installed website tracking tools. While the tools are used to obtain visitor information and enhance the quality of websites, user data is also used for marketing purposes, like targeted ads when visitors leave the site and surf the web. The HHS’ Office for Civil Rights released guidance on installing these tracking tools on websites, which OCR stated could potentially violate HIPAA. The court partially repealed the guidance, stating that using tracking codes on websites does not violate HIPAA if they are put on unauthenticated webpages. If used on authenticated web pages, permission must be obtained or a business associate agreement must be signed together with the vendor of the tracking tools.
The W.W. v. Orlando Health lawsuit does not involve a violation of HIPAA but a Florida wiretap law, specifically the Florida Security of Communications Act (FSCA). This Act forbids the deliberate interception of electronic chitchats. Orlando Health filed a motion to dismiss the case, saying it only monitored metadata and not the information of any communications. Judge Julie S. Sneed did not agree.
Orlando Health urged patients to use its website to look up information on medical conditions, discuss their clinical symptoms, and use its MyChart patient website and consultation booking program. The search words inputted by individuals on the website are not simple website browsing data because they talk about sensitive data regarding medical conditions. Therefore, Judge Sneed decided that the communications are categorized as the meaning of communications as per FSCA.
Judge Sneed confirmed that the plaintiff successfully reported the three specifications for an FSCA claim, that is that Orlando Health intercepted her electronic messages, including protected information covered by the law, and that website users do not know about the hidden tracking tools, and that the communications were intercepted apart from the plaintiff’s awareness. Judge Sneed dismissed one claim, which is the violation of privacy by intrusion upon seclusion. The dismissal is based on the premise that Florida legislation requires the claim to entail intrusion into a private location instead of a private activity.
Image credit: Khairil, AdobeStock
