Kroger shared sensitive customer health data without permission, lawsuit claims

Dive Brief:

Kroger is facing a federal class-action lawsuit claiming that the supermarket company shared confidential health details about pharmacy customers without their permission.
The suit, filed Nov. 13, alleges that Kroger “willfully and intentionally” installed tracking code provided by Facebook parent Meta on its web servers that surreptitiously transmitted people’s private information to third parties including the social networking company.
Kroger joins a range of companies, including Costco, facing allegations that it improperly disclosed health-related details collected from consumers to Meta.

Dive Insight:

The lawsuit paints Kroger as a willing partner with Meta in using information people thought was private for marketing purposes.

According to the suit filed on behalf of a plaintiff identified as “Jane Doe,” Kroger embedded tools provided by Meta on its web servers that allowed Facebook to access data including people’s names and other identifying information; appointment times, locations and reasons; prescriptions; and details about their health.

Kroger has positioned itself as a healthcare provider and violated the federal Health Insurance Portability and Accountability Act of 1996 by sharing people’s health information with outside organizations without obtaining “express written authorization,” according to the suit, filed in the U.S. District Court for the Southern District of Ohio, Western Division.

“Plaintiff and Class Members never consented, agreed, authorized, or otherwise permitted Defendant to disclose their Private Information to Facebook, nor did they intend for Facebook to be a party to their communications (many of them highly sensitive and confidential) with Defendant,” the suit says.

A Kroger spokesperson did not respond to a request for comment about the lawsuit by press time.

The computer code Kroger installed on its systems included a Meta tool known as Pixel that “commandeered” consumers’ devices and sent the information they provided to outsiders without their knowledge, according to the suit.

“Simply put, by installing the Facebook Pixel into its Website, Defendant effectively planted a bug on Plaintiff and Class Members’ web browsers and compelled them to disclose their communications with Defendant to Facebook,” according to the suit.

The suit claims Kroger also added Facebook’s Conversions Application Programming Interface, or CAPI, to its servers, allowing it to steer around ad blockers or other privacy controls on a user’s web browser that might have blocked Pixel from sweeping up people’s information.

Kroger used data it obtained from its customers using Pixel and CAPI “for marketing purposes in an effort to bolster its profits,” the suit says, adding that the grocer’s “conduct constitutes an intentional physical or sensory intrusion on Plaintiff’s and Class Members’ privacy because Defendant exceeded its authorization to access Plaintiff’s and Class Members’ information and facilitated Facebook’s simultaneous eavesdropping and wiretapping of confidential communications.”

Kroger has built a considerable presence in the healthcare space in recent years — an effort that included forming a unit known as Kroger Health that comprises its clinics, pharmacy businesses and dietitians. The grocery company currently operates about 2,250 pharmacies and 225 health care centers under The Little Clinic brand in its retail locations.

The lawsuit against Kroger follows other suits claiming that Meta has used its technology in cooperation with other parties to gather private health information from people without permission. The suits include one filed against Costco as well as a pair of suits alleging that Meta worked with hospitals to collect health information.