Columbus Regional Health is facing a proposed class-action lawsuit alleging that it unlawfully shares the personal health information of patients with Meta, the parent company of Facebook, and other tech giants in violation of federal and state privacy laws.

The lawsuit, filed on the Indiana Commercial Court docket in Marion Superior Court 1 in Indianapolis, claims that CRH embedded tracking technology on its website that collects and shares information about its patients with Meta, Google and Microsoft. This included the website’s search function, appointment-request forms and the “Find a Doctor” physician search function, the lawsuit alleges.

The complaint further alleges that CRH’s use of the technology violates HIPAA, the federal patient privacy law, as well as the Indiana Deceptive Consumer Sales Act and the Indiana Wiretapping Act.

Columbus residents and CRH patients Brian and Annie Elkins are listed as plaintiffs in the lawsuit. Annie Elkins also is identified in the complaint as a former CRH employee. The lawsuit proposes a class made up of any Indiana resident whose private information was disclosed by CRH through the tracking technology.

“When plaintiffs and class members used these online platforms, they thought (they) were communicating exclusively with their trusted healthcare provider,” the lawsuit alleges. “Unbeknownst to plaintiffs and class members, however, defendant had embedded pixels from Facebook, Google and Microsoft into its online platforms, surreptitiously forcing plaintiff and class members to transmit intimate details about their medical treatment to third parties.”

Since being filed in May, the lawsuit has bounced between the state and federal court systems. In June, CRH sought to move the lawsuit to federal court, arguing, among other things, that the complaint involves alleged violations of federal privacy standards, court records show.

Attorneys representing CRH said in a court filing they planned to argue in federal court that the hospital system did not violate federal privacy standards, and the “specific information that is purportedly ‘disclosed’ are outside of the purview of protected health information.”

However, a federal judge sent the lawsuit back to Marion Superior Court on Oct. 10, finding, among other things, that using alleged violations of federal standards as evidence for civil liability under state law does not, by default, confer jurisdiction to a federal court.

As of Tuesday, CRH had not responded to the complaint in state court. CRH officials declined to comment on the lawsuit, citing the pending litigation.

“In order to protect the integrity of a pending case, Columbus Regional Health refrains from comment on active litigation matters,” CRH spokeswoman Kelsey DeClue said. “However, our organization intends to vigorously defend against these claims.”

The allegations against CRH come as a growing number of hospitals and health systems across the country face lawsuits that allege they disclosed private patient data to tech giants through tracking technology on their website and other online platforms.

The lawsuits largely involve the use of tracking technology called tracking pixels, which are pieces of computer code embedded into a website that can track and record a range of personal data on how a user interacts with the website, including information that users have typed in a form while on the website, according to the Federal Trade Commission’s Office of Technology.

Pixels can be hidden from view, and blocking third-party cookies may not prevent pixels from collecting and sharing information. Businesses commonly use them to track consumer behavior and target them with advertisements based on their online activity.

Many of the lawsuits, including the one filed against CRH, mention the use of the Meta Pixel, a tracking pixel developed by Facebook parent company Meta.

For its part, Meta has described the Meta Pixel as “a snippet of JavaScript code that loads a small library of functions” that can track Facebook ad-driven visitor activity on a website and “match website visitors to their respective Facebook user accounts.”

Court filings have alleged that the Meta Pixel can track information about a visitor’s device, including IP address and the pages viewed. It also can be configured to track search terms, button clicks and form submissions.

However, it is unclear how CRH had configured those tools or if it even used them at all. The complaint does not specify how the plaintiffs concluded that CRH uses the tracking pixels, though it does claim that the hospital system also uses what the plaintiffs described as other similar technology such as Google Tag Manager, Google Analytics and Microsoft’s Bing Universal Event Tracking.

“If a patient visits (CRH’s) website and clicks ‘Mental Health Services’ under defendant’s ‘Service Centers’ page, the individual’s browser sends a request to Defendant’s server requesting that it load the webpage,” the lawsuit claims. “Then, Meta Pixel sends secret instructions back to the individual’s browser, causing it to imperceptibly record the patient’s communication with CRH, such as the page visited, and transmit it to Facebook’s servers alongside personally identifying information, such as the patient’s IP address. …Google and Microsoft process this data in a similar manner, using it to connect health information to particular individuals and to build marketing and other data profiles.”

The issue of tracking technologies in health care settings came to light in June 2022 after a report by tech publication The Markup found that the Meta Pixel was installed on 33 of Newsweek’s top 100 hospitals in the country, including Johns Hopkins Hospital, UCLA Reagan Medical Center and Duke University Hospital.

The publication said former regulators, health data security experts and privacy advocates reviewed the report’s findings and found the hospitals’ use of the tracking tool may have violated HIPAA.

In December, the U.S. Department of Health and Human Services warned that website trackers could violate HIPAA and that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures.”

“Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals and where an individual seeks medical treatment,” HHS said in December.

In June 2022, anonymous plaintiffs filed a proposed class-action lawsuit against Meta in federal court, alleging that the tech giant violated the medical privacy of patients through its Meta Pixel tool. That lawsuit is currently pending in federal court.

When the lawsuit was filed, attorneys for the plaintiffs alleged that they had identified through experts at least 664 hospital systems or medical provider web properties in the United States where Facebook had received patient data via the Metal Pixel.

Since then, lawsuits have been filed against Cedars-Sinai Health System in Los Angeles, Rush University System for Health in Chicago, U of L Health in Louisville, LCMC Health in New Orleans, among several others across the country.

By this past April, at least 18 hospitals and health systems were facing similar lawsuits, according to Becker’s Health IT.

The Indiana Association for Healthcare Quality has said that several entities have reported HIPAA breaches related to their use of tracking technologies, including pixels, and that “class-action lawsuits are also regularly being filed against health care organizations that utilize web-tracking technologies.”

At least one healthcare system in Indiana, Community Health Network, has notified patients that some of the third-party tracking technologies installed on its website, including the MyChart patient portal and some of its appointment-scheduling pages, transmitted certain patient information to vendors such as Facebook and Google, according to the network’s website.

Most of those technologies, which the network said were in use since April 2017, were disabled or removed by this past November.

As of Tuesday, the lawsuit against CRH was pending in state court.

Claims made in filing a lawsuit represent only one side of the case and may be contested in later court action.