guy watching a woman online

Workit Health Privacy Breach Class Action Investigation

Class Action Investigation Over Misuse of Facebook Ad Software

On February 2, 2023, four members of the United States Senate sent a letter to Workit Health where they “express our concern regarding reports that Workit Health is tracking and sharing sensitive and personally-identifiable health data with third-party social media and online search platforms such as Google and Facebook that monetize this data to target advertisements,” using what is known as the Meta Pixel tracking cookie.

The Senators expressed concern that more than 20,000 patients used Workit Health’s website as of 2021. Most Workit’s members are on Medicare or Medicaid, while around 30% have commercial insurance.

Workit Health is a virtual substance abuse treatment center based in Michigan. According to Forbes Magazine, “the startup combines online individual and group therapy along with medication-assisted treatment (like buprenorphine and naltrexone).” The company has also expanded its offerings for conditions commonly associated with substance use disorders like hepatitis C, depression, anxiety, and insomnia.

Workit Health provides online help with overcoming opioid and stimulant addiction, changing relationships with alcohol, diagnosing co-occurring disorders, online prescriptions, and other resources. Workit Health operates through the website at

It claims to help its patients “Quit opioids or alcohol from the privacy of home” and to provide “A future free of addiction [, including recovery] from addiction at home with medication and online support — from the leader in virtual addiction care.”

In October 2021, the company raised $118 million in private equity funding. CVS Health Ventures, FirstMark Capital, BCBS Venture Fund, and 3L Capital also participated in this funding, which valued Workit at around $500 million.

On Workit Health’s website, patients are asked to answer a series of questions about their substance use and mental health. Although Workit Health’s website also claims that “all of the information you share is kept private and is protected by our HIPAA-compliant software,” this information is reportedly sent to advertising platforms, along with the information needed to identify users. This data is highly personal and can be used to target advertisements for services that may be unnecessary or that, according to the U.S. Senate, may be “potentially harmful physically, psychologically, or emotionally.”

Following an investigation into its practices, Workit responded by stating that “out of an abundance of caution, we elected to adjust the usage of a number of Pixels for now as we continue to evaluate the issue.” “Pixels” refers to website tracking technology currently the subject of several privacy investigations, including the Senate investigation.

facebook sign behind guy on phone

This Senate request for information comes shortly after the FTC obtained a $1.5 million penalty against GoodRx and an agreement preventing the company from sharing users’ sensitive health data with third-party advertisers.

If you have used Workit Health’s services over the last two years, your personal information may have been sold to third-party advertisers such as Facebook and Google without your informed authorization or consent.

California’s privacy laws specifically protect your personal information. These laws include:

  • The California Customer Records Act requires reasonable security procedures and practices to protect consumers’ personal information.
  • The California Consumer Privacy Act (CCPA). This law has many protections for the personal information of California residents.
  • The Confidential Medical Information Act (CMIA) protects confidential health-related information. The CMIA requires a health care provider, health care service plan or contractor who creates and maintains medical records to do so in a way that preserves their confidentiality. It is currently unclear whether the information provided to companies due to these tracking pixels violated the CMIA. Investigation into exactly what information was provided to third parties is ongoing.

Depending on the nature of the disclosures, you may be entitled to between $100 and $1,000, or more, or your actual damages, whichever is greater, depending on which California laws may have been violated by this conduct. However, you may only be awarded compensation with legal assistance despite the above California laws.

Participants can recover damages, injunctive relief (to ensure that the business has reasonable security practices to protect consumer data), and anything else necessary to compensate victims and prevent these harms from occurring again.

Identity theft is on the upswing, as this data has significant value, as evidenced by what Workit Health has done to allow companies like Facebook and Google to access your personal information.