Kaiser Permanente settlement

The Signal in the Noise

In the world of health privacy law, few events have a greater impact than a multimillion-dollar class-action settlement. Kaiser Permanente’s agreement to pay up to $47.5 million to resolve litigation over its use of website tracking technologies is exactly that—a loud alarm ringing through the industry.

While data breaches involving ransomware or lost laptops are common, this settlement highlights a more subtle and increasingly litigated risk: the intersection of digital marketing strategies and patient privacy. For compliance officers, health lawyers, and IT leaders, this case is not just news; it serves as a crucial example of how the HIPAA Security Rule is stringently enforced in today’s digital landscape.

The Facts of the Case

The class-action lawsuit, which consolidated multiple complaints, centered on allegations that Kaiser Permanente installed tracking codes (pixels) from third-party vendors—including Google, Microsoft (Bing), X (formerly Twitter), Adobe, and Quantum Metric—on its websites and mobile applications.

The plaintiffs claimed that these trackers were not just operational tools but were actively sending Sensitive Personal Information (SPI) and Protected Health Information (PHI) to these tech giants without patient consent.

The data allegedly shared included:

  • IP addresses and device identifiers.
  • Search terms entered into health encyclopedias (e.g., symptoms, specific conditions).
  • Navigation patterns within the patient portal.
  • User sign-in status.

Crucially, the lawsuit alleged that this data sharing occurred on authenticated patient portals—spaces where patients reasonably expect complete privacy.

Kaiser Permanente’s health plan, Kaiser Foundation Health Plan, reported the incident in April 2024 to the U.S. Department of Health and Human Services (HHS) as an unauthorized access/disclosure HIPAA breach affecting 13.4 million individuals.

It was the second-largest healthcare data breach reported last year, after the Change Healthcare ransomware attack, which affected 193 million individuals.

The Legal Allegations: Beyond Simple Negligence

For legal professionals, the scope of the allegations is revealing. The plaintiffs threw numerous claims at Kaiser, including:

Negligence: Failure to exercise reasonable care in protecting patient data.

Breach of Contract: Violating the implied and express contracts formed via privacy policies and terms of service.

Invasion of Privacy: specifically, “intrusion upon seclusion,” a tort that requires proving an intentional intrusion into private affairs that is highly offensive to a reasonable person.

Statutory Violations: Breaches of the California Confidentiality of Medical Information Act (CMIA), the federal Electronic Communications Privacy Act (ECPA), and various state consumer protection laws.

The $47.5 million settlement (including a $46 million fund that could grow depending on contingencies) is among the largest in pixel-tracking litigation to date. It highlights that plaintiffs’ lawyers are effectively framing the use of standard marketing tools as wiretapping and privacy violations.

Other Examples of Website Pixel Tracking Lawsuits In Healthcare

Website tracking has been the subject of dozens of class action lawsuits in recent years. In just the last few months, some examples of settlements and the payments made include:

  • Aspen Dental Management (nationwide) – $18.5 million
  • Adena Health System (Ohio) – $17.8 million
  • Henry Ford Health (Michigan) – $12.28+ million
  • BJC Healthcare (Missouri) – $9.25 million
  • The Christ Hospital (Ohio) – $7 million
  • Mount Sinai Health System (New York) – $5.26 million
  • Mammoth Hospital (California) – $380,000

The Compliance Disconnect: Marketing vs. HIPAA

For HIPAA compliance officers and IT Directors, this case reveals a dangerous silo within healthcare organizations: the disconnect between Marketing/Web Development and Compliance/Security.

Marketing teams are motivated to enhance user experience and boost conversion rates. They utilize tools like Google Analytics or Meta Pixel to monitor “user journeys.” However, when a “user” is a patient and the “journey” involves searching for cancer symptoms within a patient portal, that data becomes PHI.

The HIPAA Security Rule Failure: Under HIPAA, disclosing PHI to a vendor, such as Google or Meta, makes the vendor a Business Associate. The vendor must comply with HIPAA and execute a Business Associate Agreement (BAA) to ensure the confidentiality of data.

  • The Problem: Most big-tech ad platforms typically do not sign BAAs for their standard tracking products.
  • The Result: If you put a non-BAA covered pixel on a page where PHI is generated, you are effectively causing an unauthorized disclosure of PHI at scale.

HHS OCR Guidance: The Warning Shot

This settlement confirms the firm stance taken by the HHS Office for Civil Rights (OCR) in its December 2022 and March 2024 updates to its bulletin on tracking technologies. The OCR clearly stated that identifiers such as IP addresses, when combined with a visit to a specific health-related webpage, may constitute PHI.

While the American Hospital Association (AHA) and others are challenging parts of this guidance in court, the Kaiser settlement shows that the risk of civil liability exists regardless of regulatory enforcement. You don’t only have to worry about an OCR investigation; you also need to consider a class-action lawsuit under state privacy laws.

Tracking Tech Liability Safeguards

If you haven’t assessed your tracking technology, do so now. If you already have, include it in the annual HIPAA Risk Analysis to keep up with any updates. Here’s a quick plan for immediate steps.

Use an inclusive, multi-disciplinary expert audit team from across the organization.

  • Information Technology and Security
  • Privacy/Compliance
  • Legal
  • Marketing – in-house and Marketing Consultants and Vendors
  • Senior Management

The “Pixel Audit” (IT & Compliance)

  • Do not rely solely on a manual review. Use scanning tools to detect all scripts and pixels on your public-facing websites, appointment-scheduling pages, and authenticated patient portals.
  • Key Question: specific to authenticated pages (behind the login): Are there any third-party scripts running here? If so, why?

The BAA Litmus Test (Legal and IT)

  • Review each vendor identified in the audit. Do you have a BAA with them?
  • If the answer is no (as with Google Analytics, Meta Pixel, or standard retargeting tools), you must determine whether they are collecting PHI.
  • Evaluate what can be disabled or removed to maintain patient privacy.

Implement “Server-Side” Tagging (IT)

  • Avoid “client-side” tracking (where the browser sends data directly to Google/Facebook).
  • Implement a Customer Data Platform (CDP) or a server-side container. This enables you to “clean” or de-identify data before sending it to marketing partners, removing IP addresses and health-specific parameters.

Coordinate Marketing with Compliance in Healthcare

The Kaiser Permanente settlement marks a significant turning point. It indicates that the era of treating digital marketing data as “metadata” separate from “health data” is coming to an end. For the healthcare industry, the message is clear: compliance must extend to the website’s code.

The cost of a pixel is no longer just a marketing expense; it can also mean millions in settlement fees and irreversible reputational damage.

Free HIPAA Checklist
What best describes you?