Healthcare Pixel Tracking Data Breach Lawsuit Settlements
Several healthcare organizations, including Cerebral, RAYUS Radiology, Sutter Health, Lemonaid Health, and Redeemer Health, have reached settlements in class action lawsuits related to their use of website tracking technologies such as pixels. These lawsuits alleged that the use of such tools resulted in the unauthorized disclosure of personally identifiable and protected health information to third parties like Meta and Google, without patients' knowledge or consent. The settlements provide financial compensation and, in some cases, service credits to affected individuals, with eligibility typically based on prior notification of the data breach.
The legal actions stem from concerns that website tracking technologies, when used on healthcare websites, can transmit sensitive health information to external parties, potentially violating HIPAA and other privacy laws. The U.S. Department of Health and Human Services issued guidance on the use of these tools, emphasizing that they should not be deployed on authenticated patient portals without proper authorization or agreements. The settlements reflect a growing trend of litigation and regulatory scrutiny over the intersection of digital marketing technologies and healthcare privacy obligations.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
7 events from the most recent confirmed update back to the earliest known activity.
Final approval hearings scheduled for pixel lawsuit settlements
Courts scheduled final approval hearings for the healthcare tracking-pixel settlements in late 2025 and early 2026, following preliminary approval. These hearings will determine whether the proposed class action resolutions become final.
RAYUS Radiology reaches preliminary pixel lawsuit settlement
RAYUS Radiology agreed to a preliminary settlement in a class action alleging unlawful disclosure of personal and protected health information to third parties via website tracking tools. The settlement offers affected class members $25 cash payments and a Privacy Shield Pro membership, with no admission of wrongdoing.
Cerebral reaches preliminary pixel lawsuit settlement
Cerebral agreed to a preliminary $500,000 settlement in litigation alleging that website tracking tools disclosed personal and protected health information to third parties including Meta and Google. The settlement provides cash payments and therapy credits to eligible California class members, while Cerebral denied wrongdoing.
Redeemer Health reaches preliminary pixel lawsuit settlement
Redeemer Health agreed to settle a class action over alleged disclosure of patient information through website tracking technologies, offering cash payments and privacy protection services to affected class members. The provider did not admit wrongdoing in the settlement.
Lemonaid Health reaches preliminary $3.25 million pixel lawsuit settlement
Lemonaid Health agreed to a preliminary $3.25 million settlement resolving claims that pixels and cookies on its website unlawfully transmitted patient information to third parties. The company denied liability while opting to settle the litigation.
Sutter Health reaches preliminary $21.5 million pixel lawsuit settlement
Sutter Health agreed to a preliminary $21.5 million settlement in a class action alleging website tracking technologies disclosed patient information to third parties such as Meta and Google without consent. The organization did not admit wrongdoing and said the settlement was intended to avoid further litigation costs and uncertainty.
Cerebral notifies affected individuals of pixel-related data breach
Cerebral notified California residents in March 2023 about a breach involving the alleged disclosure of personal and protected health information to third parties through website tracking tools. This notification later became the basis for a class action settlement.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
2 references tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
Mar 21, 2026
Kaiser Permanente Settlement Over Web Tracker Data Breach
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action lawsuits alleging that the healthcare provider's use of web tracking codes on its websites, patient portals, and mobile apps resulted in the unauthorized sharing of sensitive patient information with third-party technology companies, including Google, Microsoft, and X (formerly Twitter). The lawsuits claimed that these embedded trackers violated federal and state laws by disclosing protected health information to external entities without patient consent, leading to a significant HIPAA breach. The incident, reported to federal regulators in April 2024, affected approximately 13.4 million individuals and was the second largest health data breach reported to the U.S. Department of Health and Human Services that year. The settlement addresses allegations that Kaiser Permanente's practices compromised the privacy and security of patient data, highlighting ongoing concerns about the use of third-party tracking technologies in healthcare digital platforms.
Mar 21, 2026
Healthcare Data Breaches and Legal Responses in the United States
Multiple healthcare organizations in the United States have experienced significant data breaches involving the exposure of protected health information (PHI) and other sensitive personal data. In Albemarle County, Virginia, a ransomware attack compromised the PHI of members of its self-insured health plan, as well as data belonging to current and former government and public school employees, their dependents, and individuals who interacted with the county. The compromised information included names, Social Security numbers, health insurance details, and other identifiers. The county has concluded its investigation, notified affected individuals, and is offering complimentary credit monitoring and identity theft protection services. Separately, class action settlements have been reached with three healthcare providers—Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood—following data breaches that exposed patient health and financial information. In one case, Hypertension Nephrology Associates agreed to a $625,000 settlement after a ransomware attack led to the theft of data from nearly 40,000 patients. The lawsuits alleged failures in security practices and delayed breach notifications, with affected individuals being offered credit monitoring services. These incidents highlight ongoing legal and regulatory consequences for healthcare organizations following data breaches involving PHI.
Mar 21, 2026