Costco warehouse customers often get free samples of cheese and beef jerky. But members who fill their prescriptions online at Costco pharmacies allegedly get their sensitive information unlawfully scraped and transmitted to third parties, claim two proposed federal class action lawsuits.

See Also: Navigating SEC Compliance: A Comprehensive Approach to Cybersecurity Resilience

The two lawsuits filed in Washington federal court on Oct. 6 and Oct. 25 allege similar claims – that the used by the membership warehouse giant collect and send individuals’ information without their knowledge or consent to Facebook, Google and other third-party marketers in violation of HIPAA, the Federal Trade Act, and federal and state wiretapping and other laws.

The lawsuits estimate that the Issaquah, Washington-based company’s data collection and disclosure practices have affected hundreds of thousands or possibly more than 1 million people.

Costco, which reported revenue of $237.7 billion in fiscal 2023 ended Sept. 3, operates 862 warehouse centers globally, including 592 in the U.S., and has 127.9 million members in 71.0 million households worldwide.

Government Warnings

The U.S. Department of Health and Human Services in recent months has warned HIPAA-regulated entities that tracking technologies – such as the ones allegedly used on Costco’s website – “transmit personally identifying information to third parties, and that such information should not be transmitted without a HIPAA-compliant written authorization from patients,” alleges the lawsuit complaint filed Wednesday by a plaintiff identified as “R.S” on behalf of herself and others similarly situated.

Information allegedly being collected and transmitted by Costco through its use of the tracking tools includes IP addresses, device IDs and other information individuals entered onto the defendant’s website, such as home address, ZIP code, or phone number, the lawsuit alleges.

“This is precisely the type of information that HIPAA requires healthcare providers to anonymize to protect the privacy of patients,” the lawsuit alleges.

The FTC also has warned entities not covered by HIPAA that they still have an obligation to protect against impermissible disclosures of personal health information under the FTC Act and the FTC Health Breach Notification Rule, the lawsuit alleges.

“Despite these clear laws and regulations, the defendant has essentially planted a bug on patients’ web browsers that forced them disclose private and confidential communications to third parties,” the lawsuit alleges. “Defendant did not disclose the presence of these tracking tools to website users filling prescriptions with Costco.”

“Patients simply do not anticipate or expect that their trusted healthcare provider will send personal health information or confidential medical information regarding their prescriptions to a hidden third party – let alone social media networks and online advertisers like Facebook,” R.S.’s lawsuit alleges.

The other lawsuit, filed by Jesus Castillo and three other California-based plaintiffs on Oct. 6 on behalf of themselves and others similarly situated, makes similar allegations against Costco.

Costco “surreptitiously disclosed millions of Americans’ private and protected communications, including their highly personal health information, to third parties, all without consumers’ knowledge or consent,” the lawsuit alleges.

“By purposely embedding and deploying Pixel on Costco’s Website, Costco engages in the unauthorized disclosure of its pharmacy patients’ highly sensitive protected health information and personally identifiable information to third parties, including Meta Platforms. Such conduct blatantly violates state and federal law,” Castillo’s complaint alleges.

As a result of Costco’s allegedly unauthorized exposure of sensitive information, plaintiffs and class members have suffered injury, including an invasion of privacy, conversion of their private and valuable personal health information for defendant’s gain, statutory damages, and continued and ongoing risk to their personal and health information, Castillo’s complaint alleges.

Both lawsuits seek similar relief, including financial damages and an injunctive order by the court for Costco to address “the imminent and ongoing harm” caused by the company’s alleged conduct and practices.

Costco did not immediately respond to Information Security Media Group’s request for comment on the lawsuits and their allegations.

Growing Scrutiny

The lawsuits against Costco are part of a wave of similar litigation that has been filed in the last year or so against other entities that also allegedly used online trackers unlawfully to collect and disclose patients’ and consumers’ sensitive health and personal information with third parties without their knowledge or consent.

Meta and Google also are named defendants in some of those other lawsuits (see: Federal Judge Inclined to Grant Claims in Meta Pixel Case).

“This is an area of continued focus for government agencies and class action attorneys alike,” said regulatory attorney Rachel Rose.

“HIPAA requires that an entity such as Costco knows where the data is located, who are its business associates or subcontractors, and whether or not there are business associate agreements in place,” Rose said.

“The FTC and HIPAA also require consumer consent, which is reflected in the FTC’s 2023 enforcement actions and joint FTC-HHS letters, which went out to various companies this summer regarding the tracking of information,” she said (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).

Attorney Cory Brennan of the law firm Taft Law said that while she thinks some of the lawsuits arising from the use of third-party tracking technologies “are quite frivolous,” others seem to be bringing serious data privacy issues to light.

“The advice that I continue to give companies using tracking technologies on their website is this: Dig deeper. It’s extremely important for organizations to ask the right questions when investigating this issue,” Brennan said.

Many companies often contend that the data they collect from their websites is not individually identifiable information, she said.

“I will typically offer one piece of circumstantial advice: If you can ascertain, from the data collected by tracking technologies on your website, the exact number of individuals who visited your website on a particular day, then that data is not fully anonymized.”

Rose said that entities using web trackers should carefully review their consent language.

“All of us directly or indirectly agree to certain terms on websites. Make certain as a company that the appropriate language is in place, that it cannot be interpreted as a contract of adhesion, and that a reasonable consumer and patient would understand what they are consenting to,” she said. “The ability to opt out is also critical.”