Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use

Posted by Steve Alder

Northwell Health & Northbay Healthcare were sued over the use of tracking tools on their websites, which are alleged to have illegally disclosed sensitive data to unauthorized third parties. Both healthcare providers have agreed to settle the lawsuits.

Northwell Health Data Breach Settlement

Northwell Health has agreed to settle litigation over its use of tracking software on its website. According to the lawsuit, tracking tools such as Meta Pixel and Google Analytics code were added to its website and were configured in a manner that resulted in protected health information being transmitted to third parties, without the consent of website visitors.

The lawsuit – Kaplan v. Northwell Health, Inc. – was filed in the New York State Supreme Court, Kings County, and alleged that information about website users’ past, present, or future health conditions, including the type and date of a medical appointment, was collected and transmitted to third parties. That information could be tied to individuals via identifiers such as the their Facebook ID and IP address. The information disclosed could allow third parties to infer that the individual was seeking treatment for a specific medical condition and was a patient of Northwell Health. The lawsuit alleges that the use of tracking tools on the website without obtaining consent violated the Electronic Communications Privacy Act.

Northwell Health disagrees with the claims and contentions in the lawsuit and sought to have the lawsuit dismissed. Northwell Health believes it would have prevailed on its motion to dismiss; however, before the motion to dismiss was argued, all parties engaged in settlement discussions. After considering the likely cost of continuing with the litigation and the risks associated with doing so, the decision was taken to settle the lawsuit.

There are two subclasses, the first of which consists of individuals who logged into the FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, and any patient who booked an appointment via the website between the same dates. Those individuals may claim a cash payment of $15.00. The second subclass consists of all other Northwell Health patients between January 1, 2020, and July 25, 2024, who are not included in the first subclass. Individuals in both subclasses are entitled to a 12-month subscription to a privacy monitoring service. Claims must be submitted by April 20, 2026. The final fairness hearing has been scheduled for April 21, 2026. Individuals wishing to opt out of the settlement or object, must do so by March 23, 2026.

Northbay Healthcare Data Breach Settlement

Northbay Healthcare, the operator of two hospitals in Fairfield and Vacaville, California, and several care centers in Solano County, settled litigation over its use of website tracking tools, which are alleged to have impermissibly disclosed patient data to Meta Platforms, Google, and others.

The lawsuit – J.A., T.A., and N.C. v. NorthBay Healthcare Corporation – was filed in the Superior Court of Solano County, California, and alleged that the inclusion of the tools on its website, without informing patients and obtaining consent, resulted in an invasion of privacy and other common law and statutory violations. NorthBay Healthcare denies all allegations of wrongdoing and liability, and all material allegations in the class action complaint. After considering the likely costs of protracted litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation.

Under the terms of the settlement, individuals who were California residents between November 29, 2020, and May 14, 2024, and visited a Northbay Healthcare website or used the patient portal between those dates may submit a claim for a cash payment of $15.00. Class members may also claim a 12-month subscription to the CyEx Privacy Shield Pro privacy protection service. The deadline for opting out, objecting, and submitting a claim is March 12, 2026. The final fairness hearing has been scheduled for March 19, 2026.

The post Northwell Health & Northbay Healthcare Settle Litigation Over Website Pixel Use appeared first on The HIPAA Journal.

Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations

Posted by Steve Alder

Comstar, a Massachusetts-based ambulance billing and collections company, has been investigated by the Massachusetts Attorney General and found to have violated the Health Insurance Portability and Accountability Act (HIPAA) and the Massachusetts Data Security Regulations. Comstar will pay a $515,000 penalty to resolve the alleged violations.

Comstar was investigated over a March 2022 cyberattack and data breach. A cyber threat actor breached its network, exfiltrated files, and used ransomware to encrypt data on its network. While the attack was detected on March 26, 2022, the ransomware group gained access to its network on March 19, 2026. The forensic investigation confirmed that protected health information (PHI) had been stolen, including names, Social Security numbers, driver’s license numbers, financial information, and medical assessment information. The PHI of 585,621 individuals was compromised in the ransomware attack, including 326,426 Massachusetts residents and 22,829 Connecticut residents.

The Rowley, Massachusetts-based company faced an investigation by the Department of Health and Human Services Office for Civil Rights (OCR), which determined that Comstar failed to conduct a comprehensive and accurate risk analysis to identify risks and vulnerabilities to the confidentiality, integrity, and availability of electronic protected health information (ePHI) stored within its systems. The alleged HIPAA violation was resolved with a $75,000 financial penalty and a corrective action plan.

An investigation was also launched by the Massachusetts Attorney General to assess whether Comstar had complied with HIPAA, the Massachusetts Consumer Protection Act, the Massachusetts Data Security Regulations, and the Massachusetts Data Security Law. The Connecticut Attorney General partnered with the Massachusetts Attorney General in the investigation. Massachusetts Attorney General Andrea Campbell alleged that Comstar had violated HIPAA and the Massachusetts Data Security Regulations by failing to maintain an adequate Written Information Security Program (WISP), which should have allowed the company to identify and correct vulnerabilities and inadequacies in its data security program.

The consent judgment was filed in Suffolk Superior Court on January 28, 2026, and awaits approval from the court. If approved, Massachusetts will receive $415,000, and Connecticut will received $100,000. In addition to the financial penalty, Comstar is required to implement additional security measures. An effective WISP must be established and maintained, as well as anti-phishing software, multifactor authentication, an intrusion detection/prevention system, and a security incident and event management platform.

Comstar must also implement and maintain a comprehensive and accurate IT asset inventory, appropriate access controls, password policies requiring strong unique passwords for all accounts, encryption for ePHI at rest and in transit, data loss protection software, a penetration testing program, and security software on all laptop and desktop computers. Comstar must also arrange for third-party annual security assessments to be conducted for the next three years. The Massachusetts and Connecticut Attorneys General require reports to be submitted by the third-party assessor on the findings of each annual security risk assessment.

The post Comstar to Pay State AGs $515,000 to Settle Alleged HIPAA Violations appeared first on The HIPAA Journal.