Catholic Health System & Northwell Health Settle Pixel Lawsuits

Posted by Steve Alder

The New York-based health systems, Catholic Health System & Northwell Health, have agreed to settle class action lawsuits stemming from their use of pixels and other website tracking and analytics tools, which are alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without consent.

Website tracking and analytics tools are used extensively across the internet for tracking website visitors. While these tools can collect valuable information to help website owners improve their websites, they can also collect and transmit sensitive data to the third-party providers of the tools. That disclosed information may then be used for advertising purposes.

Depending on how these tools are implemented, they may violate the HIPAA Privacy Rule, such as if they are added to web pages or apps that require authentication. Over the past three years, many lawsuits have been filed over the use of these tools by healthcare providers. HIPAA has no private cause of action, so individuals cannot sue for HIPAA violations. The lawsuits were filed for alleged violations of federal wiretapping laws and state consumer protection laws.

Catholic Health System Pixel Settlement

Catholic Health System, a non-profit integrated health system based in Buffalo, New York, was sued for implementing these tools, which resulted in impermissible disclosures of protected health information to Meta and other third parties. The defendant filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed, and an amended complaint – J.C. v. Catholic Health System, Inc. – was filed in the Supreme Court of the State of New York, County of Erie.

Catholic Health System denies any wrongdoing whatsoever and also denies that tracking technologies were added to its patient portal or electronic medical record system; however, following mediation, a settlement was agreed upon by all parties. The settlement provides benefits to all patients who logged into the Catholic Health System MyChart patient portal from January 1, 2020, through December 11, 2025 (Subclass 1), and any current or former patient who sought and received treatment from Catholic Health System between the same dates, not including individuals in Subclass 1 (Subclass 2).

The defendant has agreed to pay all attorneys’ fees and expenses, settlement administration and notification costs, and service awards for the class representatives. Class members in Subclass 1 may submit a claim for a one-time cash payment of $20, and members of Subclass 2 may submit a claim for a 12-month membership to a Dashlane privacy monitoring service. Class members have until March 11, 2026, to object to the settlement or exclude themselves. Claims must be submitted by April 10, 2026, and the final fairness hearing has been scheduled for April 23, 2026.

Northwell Health Pixel Settlement

Northwell Health, a New York-based nonprofit integrated healthcare serving patients in New York and Connecticut, faced similar class action litigation over the use of website tracking tools that were alleged to have disclosed sensitive personal and protected health information to third parties such as Meta and Google without patients’ knowledge or consent. Through these tools, the defendant is alleged to have disclosed information related to past, present, or future health conditions, which would allow third parties to determine that an individual was a patient or seeking treatment, together with the type of medical care being sought.

The lawsuit, Kaplan v. Northwell Health, Inc., was filed in the Supreme Court of the State of New York, County of Kings and asserted claims of breach of fiduciary duty/confidentiality, breach of implied contract, unjust enrichment, negligence, invasion of privacy under New York Civil Rights Law, violations of the New York Consumer Law for Deceptive Acts and Practices, and violations of the Electronic Communications Privacy Act.

The defendant denies all claims of fault, wrongdoing, and liability and disagrees with all contentions in the lawsuit; however, to avoid the expense of ongoing litigation and the uncertainty of a trial and related appeals, the decision was taken to settle the litigation. There are two settlement classes, with different benefits. Individuals who used Northwell Health’s FollowMyHealth patient portal between January 1, 2020, and December 31, 2023, are in Settlement Subclass 1 and may submit a claim for monetary relief of $15 per class member. All other patients of Northwell Health between January 1, 2020, and July 25, 2024, not including those in Settlement Subclass 1, are in Settlement Subclass 2 and may claim a 12-month membership to a privacy monitoring service.

The deadline for objection and opting out is March 23, 2026. The deadline for submitting a claim is April 20, 2026, and the final fairness hearing has been scheduled for April 21, 2026.

The post Catholic Health System & Northwell Health Settle Pixel Lawsuits appeared first on The HIPAA Journal.

Greater Pittsburgh Orthopedic Associates Data Breach Affects Almost 57,000 Individuals

Posted by Steve Alder

Greater Pittsburgh Orthopedic Associates has experienced a ransomware attack that has affected almost 57,000 individuals. Data breaches have also been announced by Triad Radiology Associates in North Carolina and North East Medical Services in California.

Greater Pittsburgh Orthopedic Associates, Pennsylvania

Greater Pittsburgh Orthopedic Associates in Pennsylvania has recently reported a data breach to the Maine Attorney General involving unauthorized access to the personal and protected health information of up to 56,954 individuals, including 3 Maine residents.

According to the notice, anomalous network activity was identified on August 10, 2025. Incident response protocols were initiated, and third-party cybersecurity experts were engaged to assist with the investigation, help secure its IT environment, and harden security. The investigation confirmed that patient data was exposed in the incident, and the review of that data has recently been completed. The exposed data elements vary from individual to individual and may include names in combination with one or more of the following: mailing address, Social Security number, and provider name.

Notification letters started to be mailed to the affected individuals on or around February 5, 2026, and at the time of issuing those notifications, no evidence had been found to indicate any patient data had been misused; however, as a precaution, the affected individuals have been offered complimentary single bureau credit score, credit report, and credit monitoring services. The Ransomhouse ransomware group claimed responsibility for the breach and said it encrypted files and exfiltrated data from its network. While the group claims that it will publish the stolen data, its dark web data leak site only includes an “evidence pack,” which currently cannot be downloaded.

Triad Radiology Associates, North Carolina

Triad Radiology Associates, a North Carolina-based physician practice providing medical imaging and radiology services, has notified 11,011 individuals about unauthorized access to an employee’s email account containing electronic protected health information. Suspicious activity was identified within the email account on or around July 30, 2025. After securing the account, an investigation was launched to determine the nature and scope of the activity, with assistance provided by third-party cybersecurity experts.

According to its data breach notice, “Our investigation determined that a limited amount of information may have been accessed between July 11, 2025, and September 8, 2025.”  That suggests that despite securing the account, unauthorized access continued for almost 40 days after the incident was first identified. Triad Radiology said its file review confirmed that the information exposed in the incident included names, addresses, dates of birth, Social Security numbers, driver’s license numbers, bank account information, medical information, and health insurance information. Triad Radiology has reviewed its data security policies and procedures and is taking steps to prevent similar incidents in the future. The affected individuals have been offered complimentary credit monitoring and identity theft protection services.

North East Medical Services, California

North East Medical Services, a San Francisco, California-based network of community health centers in the San Francisco Bay Area and Las Vegas, has recently disclosed a data breach to the California Attorney General. On October 19, 2025, suspicious activity was identified within its computer systems. Third-party cybersecurity experts have been engaged to investigate the incident, and unauthorized network access was confirmed.

The exposed data is currently being reviewed, and North East Medical Services has yet to determine how many individuals have been affected or the types of data involved. Notification letters will be mailed to the affected individuals when the data review is concluded. In the meantime, all patients have been advised to remain vigilant against incidents of identity theft and fraud by monitoring their accounts and explanation of benefits statements for suspicious activity.

The post Greater Pittsburgh Orthopedic Associates Data Breach Affects Almost 57,000 Individuals appeared first on The HIPAA Journal.