Healthcare Pixel Tracking Data Breach Lawsuit Settlements
Several healthcare organizations, including Cerebral, RAYUS Radiology, Sutter Health, Lemonaid Health, and Redeemer Health, have reached settlements in class action lawsuits related to their use of website tracking technologies such as pixels. These lawsuits alleged that the use of such tools resulted in the unauthorized disclosure of personally identifiable and protected health information to third parties like Meta and Google, without patients' knowledge or consent. The settlements provide financial compensation and, in some cases, service credits to affected individuals, with eligibility typically based on prior notification of the data breach.
The legal actions stem from concerns that website tracking technologies, when used on healthcare websites, can transmit sensitive health information to external parties, potentially violating HIPAA and other privacy laws. The U.S. Department of Health and Human Services issued guidance on the use of these tools, emphasizing that they should not be deployed on authenticated patient portals without proper authorization or agreements. The settlements reflect a growing trend of litigation and regulatory scrutiny over the intersection of digital marketing technologies and healthcare privacy obligations.
Sources
Related Stories
Healthcare Privacy and Data Breach Class-Action Settlements
Several healthcare organizations are resolving class-action litigation tied to alleged exposure of sensitive patient data, with settlements emphasizing cost avoidance rather than admissions of wrongdoing. **Kaiser Permanente** agreed to a **$46 million** settlement over claims that patient interactions with certain Kaiser websites and digital tools resulted in personal health information being transmitted to third parties (including **Google, Microsoft Bing, Twitter/X, and Adobe**) via online tracking/advertising technologies; the allegations focus on web/digital activity rather than Kaiser’s core electronic medical record systems, and the proposed class period spans **2017–2024**. Separately, two healthcare entities reached settlements following **network intrusions** that allegedly exposed protected health information and other sensitive identifiers. **Mystic Valley Elder Services** agreed to pay **$520,000** to settle claims stemming from an **April 2024** incident in which attackers accessed its network and potentially obtained data including SSNs, financial/payment data, credentials, and medical/insurance information affecting **~89,600** people; plaintiffs also alleged delayed detection and notification. **Consulting Radiologists Ltd.** received approval for a **$2.2 million** settlement after a 2024 intrusion affecting up to **583,824** individuals, with allegations including inadequate security controls and delayed breach notification; the organization reported that some impacted records included medical/insurance data and SSNs (for a subset of individuals).
2 months agoKaiser Permanente Settlement Over Web Tracker Data Breach
Kaiser Permanente has agreed to pay up to $47.5 million to settle consolidated class action lawsuits alleging that the healthcare provider's use of web tracking codes on its websites, patient portals, and mobile apps resulted in the unauthorized sharing of sensitive patient information with third-party technology companies, including Google, Microsoft, and X (formerly Twitter). The lawsuits claimed that these embedded trackers violated federal and state laws by disclosing protected health information to external entities without patient consent, leading to a significant HIPAA breach. The incident, reported to federal regulators in April 2024, affected approximately 13.4 million individuals and was the second largest health data breach reported to the U.S. Department of Health and Human Services that year. The settlement addresses allegations that Kaiser Permanente's practices compromised the privacy and security of patient data, highlighting ongoing concerns about the use of third-party tracking technologies in healthcare digital platforms.
3 months agoHealthcare Data Breaches and Legal Responses in the United States
Multiple healthcare organizations in the United States have experienced significant data breaches involving the exposure of protected health information (PHI) and other sensitive personal data. In Albemarle County, Virginia, a ransomware attack compromised the PHI of members of its self-insured health plan, as well as data belonging to current and former government and public school employees, their dependents, and individuals who interacted with the county. The compromised information included names, Social Security numbers, health insurance details, and other identifiers. The county has concluded its investigation, notified affected individuals, and is offering complimentary credit monitoring and identity theft protection services. Separately, class action settlements have been reached with three healthcare providers—Hypertension Nephrology Associates, Asheville Arthritis and Osteoporosis Center, and Intermountain Planned Parenthood—following data breaches that exposed patient health and financial information. In one case, Hypertension Nephrology Associates agreed to a $625,000 settlement after a ransomware attack led to the theft of data from nearly 40,000 patients. The lawsuits alleged failures in security practices and delayed breach notifications, with affected individuals being offered credit monitoring services. These incidents highlight ongoing legal and regulatory consequences for healthcare organizations following data breaches involving PHI.
2 months ago