Another major hospital system has settled a class action lawsuit over the breach of patients’ sensitive protected health information (PHI) on its MyChart portal. Mount Sinai Health System (Mount Sinai), the largest hospital network in New York City, will pay $5.26 million to settle claims.

This is the second recent announcement by a major health system settling a class-action claim over the sharing of web tracker data. In late July, BJC HealthCare settled a similar case for $9.25 million.

On August 1, a jury found that Facebook’s parent, Meta, had violated the privacy of individuals who used Flo Health, a fertility app that employed website pixel tracking tools.

Mount Sinai Used Facebook Technology

Mount Sinai used the Facebook Pixel and Conversions Application Programming Interface (CAPI) on its website and MyChart patient portal. The website tracker tool collects information about website users and transmits the data to Facebook.

The plaintiffs in the Mount Sinai case alleged that it violated federal and state laws by sharing their personal health information with Facebook without their knowledge or consent. The lawsuit also asserted claims of negligence, invasion of privacy, breach of implied contract, breach of fiduciary duty, unjust enrichment, breach of confidence, constructive bailment, and breach of implied covenant of good faith and fair dealing.

According to the settlement, patients who logged into Mount Sinai’s MyChart platform between October 27, 2020, and October 27, 2023, are considered part of the class affected by the data-sharing allegations. Approximately 1.3 million individuals are eligible to file claims in the lawsuit.

Mount Sinai denied the allegations and maintained it did not share medical information. However, both parties agreed to settle to avoid the costs and risks of continued litigation and to provide compensation to the affected individuals.

Web Trackers May Violate HIPAA

The technology that enables tech companies to access patient data by providing services to healthcare organizations has been a source of controversy for several years.

The Office for Civil Rights (OCR), which enforces HIPAA, and the Federal Trade Commission (FTC) both have stated that website pixel tracking may violate federal privacy and consumer protection laws.

Healthcare organizations benefit from contracts with big tech companies because these companies provide sophisticated interfaces and feedback. The advantage to a tech company like Meta/Facebook is that it obtains access to individuals’ (patients’) information, which it can resell to third parties or use itself for marketing purposes.

The first data disclosure, to a tech company such as Meta or Google, is alleged to be an unauthorized disclosure; however, the second disclosure by the tech company to third parties is also unauthorized. Patients were unaware and did not consent to either disclosure.

In addition to federal and state enforcement of HIPAA, there has been a rise in private lawsuits. Because HIPAA does not provide a private right of action, individuals whose data has been disclosed can file a lawsuit claiming breach of privacy, breach of contract, negligence, and alleged violations of various consumer protection laws at both the state and federal levels.

The HIPAA Security Rule Protects Patient Privacy

Strengthening privacy and security protections for patients and customers is a good business practice that helps earn and maintain trust.

Don’t get caught using website trackers if your customers and patients use your website and portal. If you handle protected health information, carefully review your website, patient portal, and telehealth provider to determine if website trackers are present.

You can change your settings and adapt the tools you use. Both Google Analytics and Meta allow organizations to opt out of their website tracking features. There is also technology available to block website tracking for all visitors to your site and portal. Consult with your marketing team to find the best solution for you.

This is essential not only for HIPAA and FTC rules, but also to prepare for and defend against potential lawsuits.