North Carolina-based Novant Health settled a class action lawsuit involving web trackers that exposed protected health information (PHI) to third parties. In the summer of 2020, Novant notified over 1.3 million patients that their private information had been sent to Meta (Facebook) with web trackers.
Some of those patients filed a class action lawsuit alleging breach of privacy, claiming that Novant Health’s unauthorized PHI disclosures were “intentional, reckless, and negligent.”
A similar class action lawsuit against Advocate Aurora Health was settled in August 2023 for $12.25 million.
Web Trackers Gather and Analyze Private Information
In May 2020, Novant used a Meta pixel code in a promotional campaign to encourage patients to use a Novant Health MyChart patient portal. When patients logged in to the Novant Health website and the portal, the web trackers collected and sent patient information to Meta without patients’ knowledge or consent.
In its original notice to patients, Novant explained:
“This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”
Web Trackers May Violate Privacy Laws
The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA, has warned that web tracking technology in healthcare may violate HIPAA.
The Federal Trade Commission (FTC) is also targeting companies that use web trackers because the use of private information violates the FTC Act and the FTC health breach notification rule.
In September 2023, the FTC and HHS jointly issued a publication addressing the use of web trackers in healthcare Collecting, Using, or Sharing Consumer Health Information.
Follow the HIPAA Security Rule
To avoid investigations and costly lawsuits, follow HIPAA and do not disclose protected health information without authorization. Conduct a HIPAA risk analysis and use the Security Rule Checklist to verify patient information is secure.
