Paubox News | HIPAA Compliance, Email Security and Healthcare Tech

Costco faces lawsuit over alleged privacy violations

Written by Kirsten Peremore | November 14, 2023

Costco was recently accused of using third-party tracking technology on the Costco Pharmacy website without patient knowledge. 

 

What happened

Two separate lawsuits were filed against Costco Wholesale Corporation, alleging privacy violations related to tracking technologies on their pharmacy web pages. Both cases were filed in October, with Castillo et al. v Costco Wholesale Corporation filed on October 6, 2023, and R.S. v Costco Wholesale Corporation, filed on October 25, 2023. Similarly, both cases were brought before the US District Court for the Western District of Washington in Seattle.

These lawsuits claim that Costco, a HIPAA covered entity due to the nature of its pharmacy division, allegedly implemented tracking tools such as Facebook Pixel on its pharmacy webpages without patient knowledge. 

This unauthorized use of tracking tools reportedly led to collecting and transferring sensitive health-related information, such as prescription details and HIV status, to third parties, such as unauthorized third-parties for marketing and advertising purposes, including Google and Adobe. The shared data included personal identifiers like IP addresses and Facebook IDs, which could link individuals to specific medical conditions and result in targeted advertising based on their health information. These alleged actions are a violation of HIPAA and other privacy laws. The lawsuits seek class-action status and a jury trial, aiming for financial compensation and injunctive relief to prevent Costco from continuing such practices. 

 

What they’re saying 

The RS case document claimed: “Plaintiff brings this case to address Defendant’s unlawful practice of disclosing Plaintiff’s and Class Members’ confidential, personally identifiable information (“PII”) and protected, health information (“PHI”) (collectively referred to as “Private Information”) to unauthorized third parties via tracking technologies and analytics software embedded on its website (“Tracking Tools”).

“One of the Tracking Tools Defendant installed on its Website is the Facebook pixel, which works in conjunction with related marketing tools and caused patients’ Private Information to be sent to Meta Platforms, Inc. d/b/a Meta (“Facebook”) without patients’ consent when they used Defendant’s website.”

See also: HIPAA Compliant Email: The Definitive Guide

 

Recent developments in online tracking

In 2022, the US Department of Health and Human Services (HHS) and its Office for Civil Rights issued guidance regarding online tracking technologies by HIPAA covered entities, emphasizing the prohibition of tracking that leads to impermissible disclosures of PHI. This guidance was significant given that a Health Affairs report found that 98.6% of hospitals used such tracking, raising concerns about patient privacy. 

In response, the American Hospital Association (AHA) and the Texas Hospital Association, Texas Health Resources, and United Regional Health Care System filed a lawsuit in a Texas federal court challenging the HHS ruling. 

The lawsuits against Costco, allege similar concerns relating to using third party tracking and the risk it poses to patient data. They highlight a growing concern and legal debate over the balance between using digital tracking technologies in the healthcare industry and protecting patient privacy and PHI. 

Read more: AHA files lawsuit against HHS over online tracking guidance

 

The next steps 

Following the filing of the lawsuits against Costco, the next steps will involve a series of legal proceedings. The cases, currently in the US District Court for the Western District of Washington at Seattle, will proceed through the judicial process. This typically includes pre-trial activities such as discovery, where both parties gather evidence relating to using third party trackers and motions, where they may request the court to make specific rulings. In these cases, the plaintiffs seek class action certification, which the court will have to approve. If the class action status is granted, the lawsuits will represent the interests of a larger group of affected individuals.

See also: Is online tracking HIPAA compliant?