novant health settlement

Novant Health Settles Web Tracking Lawsuit for $6.6 Million

North Carolina-based Novant Health settled a class action lawsuit involving web trackers that exposed protected health information (PHI) to third parties. In the summer of 2020, Novant notified over 1.3 million patients that their private information had been sent to Meta (Facebook) with web trackers.

Some of those patients filed a class action lawsuit alleging breach of privacy, claiming that Novant Health’s unauthorized PHI disclosures were “intentional, reckless, and negligent.”

A similar class action lawsuit against Advocate Aurora Health was settled in August 2023 for $12.25 million.

Web Trackers Gather and Analyze Private Information

In May 2020, Novant used a Meta pixel code in a promotional campaign to encourage patients to use a Novant Health MyChart patient portal. When patients logged in to the Novant Health website and the portal, the web trackers collected and sent patient information to Meta without patients’ knowledge or consent.

In its original notice to patients, Novant explained:

“This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook; however, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

Web Trackers May Violate Privacy Laws

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR), which enforces HIPAA, has warned that web tracking technology in healthcare may violate HIPAA.

The Federal Trade Commission (FTC) is also targeting companies that use web trackers because the use of private information violates the FTC Act and the FTC health breach notification rule.

In September 2023, the FTC and HHS jointly issued a publication addressing the use of web trackers in healthcare Collecting, Using, or Sharing Consumer Health Information.

Follow the HIPAA Security Rule

To avoid investigations and costly lawsuits, follow HIPAA and do not disclose protected health information without authorization. Conduct a HIPAA risk analysis and use the Security Rule Checklist to verify patient information is secure.

Share This Post

Maggie Hales

Maggie Hales is a lawyer focusing on health information privacy and security. As CEO of ET&C Group LLC she advises health care providers and business associates in 36 states, Canada, Egypt, India and the EU, using The HIPAA E-Tool® to deliver up to date policies, forms and training on everything related to HIPAA compliance.

Copyright © 2023 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

Terms of Use | Privacy Policy | Cookies Policy | Privacy Settings | HTML/XML Sitemap

Mailing Address
The HIPAA E-Tool
PO Box 179104
St. Louis, MO 63117-9104

Office
8820 Ladue Road Suite 200
St. Louis, MO 63124

Powered by JEMSU