Communications Litigation Today was a Warren News publication.
'Intercepted by Advertisers'

Summit Health Violated Web Users' Privacy by Monetizing Their PII: Class Action

Summit Health combines patients’ searches for medical information with their protected health information (PHI) and personally identifiable information (PII) and sells it to advertisers without their permission, alleged a privacy class action Wednesday (docket 2:24-cv-06972) in U.S. District Court for New Jersey in Newark. The suit also names Meta, Google, PubMatic, Microsoft and Magnite.

Plaintiff T.G., who used Summit's CityMD website from 2020-2024, searched for information on COVID-19 under a “for free” section of medical articles on the CityMD website, said the complaint. The search generated relevant articles for the Suffolk County, New York, resident to review, but “it also did something far more nefarious: it combined her identifying information with the fact that she was searching for specific care related to the Novel Coronavirus of 2019,” alleged the complaint.

Summit Health then “packaged the information and sold it to advertisers who place their snippets of code on CityMD’s website” so that T.G. and class members “would then potentially be served with advertisements around the internet related to Covid-19 treatments and other related goods and/or services,” it said.

Rather than protecting patient’s sensitive PII and PHI, CityMD “instead opts to monetize it and sell it to third party advertisers who intercept Plaintiff and Class members’ information when they use the CityMD website,” the complaint alleged. When users access the CityMD website, their information “is intercepted by advertisers” including Meta’s Facebook, Google, PubMatic, Microsoft and Magnite, the advertising defendants, it said.

CityMD places the advertising defendants’ tracking codes onto its websites “with the intention of collecting the data that users input into the website in combination with their identifying information,” alleged the complaint. That “runs contrary to state and federal law, to commonly accepted practices with respect to the sanctity of PHI,” and to CityMD’s privacy policy, “which expressly disclaims that such conduct takes place,” it said.

CityMD knew or should have known that by embedding the advertisers’ tracking code, it was disclosing and permitting the advertising defendants to intercept and collect the PHI and PII of its website users, because the codes’ “entire purpose is to monetize data,” the complaint alleged. By opting to repackage the data and sell it, CityMD violates rights afforded to patients under the Health Insurance Portability and Accountability Act (HIPPA), it said. “By being in receipt of ill-gotten private data, especially valuable PII in combination with PHI, the Advertising Defendants each served as a conduit to monetize this precious and private information,” it said.

Patients are required to provide their names, medical and other identifying information in the course of doing business with CityMD, said the complaint. The medical provider allows advertising defendants’ code to “lurk on their website in exchange for the monetization of the data that is intercepted by that code,” it alleged.

CityMD collects patients’ PII in two ways: when a patient inputs it into the CityMD website, and also in the background when it “collects information about the device that the patient is using that can then be used to track that person around the internet,” the complaint alleged. It gave the example of Google Analytics, which allegedly “tracks the user around the internet in order to serve them advertisements in various places.”

Companies “bid for packages of consumers for whom to target with their advertisements,” the complaint alleged. Google and other ad service companies need data to be able to sell ads to companies that want “to target a certain subset of consumers,” it said. “This can only be done when Google has both PII (to identify that a particular internet user is in fact in the subset of consumers desired by a particular company to target) and additional information (to identify the particular products and services that might be of interest to that particular internet user),” the complaint said.

When potential patients search for information on CityMD’s website, they, too, “give over substantial PHI including medical conditions, medications, and other relevant medical information,” the complaint alleged. The website’s search bar allows potential patients to search for articles or specialists related to specific searchable conditions, it said. The information consumers enter into CityMD’s website is “highly personal” and protected as PHI under HIPPA, it alleged.

The complaint cited a December 2022 Health and Human Services bulletin highlighting obligations of healthcare providers under HIPPA, in which HHS said healthcare providers “violate HIPPA when they use tracking technologies that disclose an individual’s identifying information, even if no treatment information is included and even if the individual does not have a relationship with the healthcare provider.” The bulletin also stated that HIPPA applies to healthcare providers with tracking technologies “even on webpages and on mobile applications that do not require patients to login,” said the complaint.

The plaintiff asserts claims of invasion of privacy, unjust enrichment and violation of New York’s General Business Law. She seeks awards of injunctive relief and statutory, actual, compensatory, consequential, punitive, and nominal damages; restitution and/or disgorgement of profits unlawfully obtained; pre- and post-judgment interest; and attorneys’ fees and costs.