BJC HealthCare (BJC) has agreed to pay up to $9.25 million to resolve a class action lawsuit alleging that it disclosed patients’ protected health information (PHI) to third parties without the patients’ knowledge or consent.

Patients who used the BJC portal, MyChart, from June 2017 through August 2022 are eligible to obtain a cash payment from the settlement funds. This includes anyone who accessed their health information or communicated about bills, appointments, or other services through the portal.

BJC, based in St. Louis, Missouri, operates 14 hospitals and dozens of other healthcare facilities in Missouri and Illinois, including the Washington University teaching hospitals, Barnes-Jewish Hospital, and St. Louis Children’s Hospital.

Plaintiffs in the lawsuit, John Doe et al v. BJC Health System, alleged that BJC operated websites for its patients to communicate with the hospital and its providers. Communications covered a range of topics, including bill payment, doctor services, treatments, medical conditions, appointments, and access to BJC’s MyChart patient portal.

The class action lawsuit alleged that BJC used online web tracker codes on those websites, causing

“the unauthorized transmission of personally identifiable patient data and redirection of the communications to be sent to Facebook, Google, SiteScout, Invoca and the Trade Desk without patient knowledge, consent, authorization or affirmative action.”

Web Trackers Gather Data to Sell

The use of web trackers on healthcare websites has been controversial for several years. When a healthcare provider enters a contract with a large tech company like Google or Meta to strengthen its internet presence, the tech company can use web trackers to gather information about website users. The tech company then sells that data to third parties for targeted marketing, advertising, and other purposes.

In the broader realm of internet usage for activities such as shopping, social media, and communications, consumers routinely disclose personal information to the tech platforms in exchange for the use of the platform. The tech platforms’ privacy policies explain that data may be shared with third parties. However, privacy protections around personal health information cannot be swept aside by a tech platform’s privacy policy or terms and conditions.

As a result, lawsuits and HIPAA enforcement have sought to protect individuals from losing their health privacy without their knowledge.

Web Trackers in Healthcare Violate HIPAA

The Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services and the Federal Trade Commission (FTC) have both stated that web trackers in healthcare settings may violate HIPAA and other federal consumer protection laws. See HIPAA Enforcement of Website Tracking Breaches and FTC and OCR Target Health Privacy.

Dozens of class action lawsuits and HIPAA investigations related to website trackers have been brought against healthcare organizations in recent years.

The law firm BakerHostetler has noted that more than 150 web tracker lawsuits against healthcare organizations were filed in 2023, and about 50 were filed in 2022.

One lawsuit is currently in federal court in Northern California against Flo Health, over a fertility-tracking app. Plaintiffs in that case allege that app maker Flo Health unlawfully shared sensitive data of millions of users without their consent with Google, Meta, and other firms, who are named as co-defendants.

Flo Health also defended a Federal Trade Commission enforcement action in 2021 involving similar allegations. In its settlement with the FTC, Flo Health agreed to revise its privacy policies, including obtaining app users’ consent before sharing their health information.

The BJC Settlement

As part of the settlement, BJC denies the allegations and any wrongdoing or liability.

BJC agreed to establish a $5.5 million settlement fund to pay costs of notice and administration for the settlement, service awards to lead plaintiffs, payment of class counsel’s attorneys’ fees and expenses, and the payment of claims.

It also agreed to pay up to $3.75 million on a claims-made basis if the initial settlement fund of $5.5 million is insufficient to cover the submitted claims.

Under the proposed agreement, which a Missouri judge approved in mid-May, settlement class members can submit a claim form to receive a $35 cash payment by October. 8. A final court hearing to approve the settlement will be held on October 16.