Costco sued for unlawfully sharing pharmacy patient health care data

Several members of Costco Wholesale have initiated a federal class-action lawsuit claiming the warehouse club giant illegally shared personal health information.

Filed on Friday in U.S. District Court for the Western District of Washington, the suit alleges that online activity-tracking technology used by Costco—including Meta Pixel code from Facebook parent Meta Platforms—captured sensitive and personally identifiable health data while these customers interacted with the Costco Pharmacy website and/or mobile app and transmitted that information to third parties, including Meta, without their consent.

Issaquah, Washington-based Costco couldn’t immediately be reached by Winsight Grocery Business for comment on the lawsuit, titled Castillo et al v. Costco Wholesale Corporation.

The four plaintiffs are California residents and Costco Pharmacy patients. According to the case documents, they ordered new prescriptions and refills; searched for medications, drug pricing and Medicare supplemental insurance; reviewed co-payment information; checked script pickup times; communicated with pharmacy staff; and provided “personal, private and highly sensitive information” while using the retailer’s pharmacy website or app.

Costco’s use of Pixel “compromised and disclosed to third parties”—without pharmacy patient authorization—such information as computer IP addresses, patient status, prescription details, vaccinations, treatments, patient location and health insurance coverage, as well as unique identifiers used to link patients’ private communications through the website to their Facebook accounts, the complaint said. All four plaintiffs indicated they generally remained logged into their Facebook accounts while online with Costco Pharmacy.

Related:Costco returns e-commerce sales to growth in September

“Specifically, Defendant [Costco] used the sensitive information to gain additional insights into its patients and prospective patients, improve its return on its marketing dollars and, ultimately, to increase revenue. Costco encouraged Plaintiffs and the Class
Members [pharmacy customers] to access and use its website for the purpose of receiving health care services or obtaining health-related information and knowledge, including receiving pharmaceutical services,” the case document stated.

“Plaintiffs and the Class Members never consented to, authorized or otherwise agreed to allow Defendant to disclose their sensitive information to anyone other than those reasonably believed to be part of Costco, acting in some health care-related capacity. Despite this, Defendant knowingly and intentionally disclosed Plaintiffs’ and the Class Members’ sensitive information to Meta and other undisclosed third parties,” the complaint read. “Plaintiffs and the Class Members also did not consent to the Defendant secretly tracking and disclosing their website communications and other online user behaviors while on Costco’s website. Plaintiffs’ and the Class Members’ exposed sensitive information can and will likely be further exposed or disseminated to additional third parties.”

Related:Costco sweetens membership package with low-cost medical visits

Costco doesn’t comment on pending litigation, Patrick Callans, executive vice president of administration at the wholesale club, told the Seattle Times in an email. The Times report also quoted Meta explaining that its technology can sift out sensitive data.

“Advertisers should not send sensitive information about people through our business tools,” Meta said Monday in a statement to the Seattle Times, which noted that Costco is considered a Meta advertiser. “Doing so is against our policies, and we educate advertisers on properly setting up business tools to prevent this from occurring.”