Goshen Health System and Hancock Health in Indiana have agreed to settle class action lawsuits that alleged patients’ protected health information was disclosed to unauthorized third parties via website tracking technologies.

Goshen Health Hospital Data Breach Settlement

On May 23, 2023, a class action lawsuit – Kaitlin Lamarr v. Goshen Health System, Inc. d/b/a Goshen Health Hospital – was filed in the Elkhart County Superior Court, Indiana, against Goshen Health System, doing business as Goshen Health Hospital, over the use of tracking technologies on its website. The lawsuit alleged that these tools, which included Meta Pixel, disclosed patients’ personally identifiable information to Meta and other unauthorized third parties without patients’ knowledge or permission.

The lawsuit asserted claims of negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act and the Indiana Wiretapping Act. Goshen Health Hospital denies any wrongdoing, disagrees with the claims and contentions in the lawsuit, and believes that it would have prevailed at summary judgment and/or trial; however, after considering the uncertainty, risks, and expense of proceeding with the litigation, it was more desirable and beneficial to settle the litigation. The plaintiff and class counsel believe that the settlement negotiated with the defendant is reasonable and fair and is in the best interests of the class.

The class consists of individuals who logged into the Goshen Health patient portal between January 1, 2020, and December 31, 2023. Under the terms of the settlement, class members are entitled to submit a claim for a one-off cash payment of $25, and will automatically receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 16, 2025. The deadline for submitting a claim is November 29, 2025.

Hancock Regional Hospital Data Breach Settlement

A similar lawsuit – Jennifer Fleece v. Board of Trustees of Hancock Regional Hospital – was filed against Hancock Regional Hospital in the Marion County Superior Court, Indiana, over the use of tracking technologies on its website, which were alleged to have impermissibly disclosed patients’ protected health information to Meta and other third parties without patients’ knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of the Indiana Deceptive Consumer Sales Act. Hancock Regional Hospital maintains that there was no wrongdoing and disputes that it committed, or threatened or attempted to commit, any wrongful act, omission, or violation of law or duty alleged in the lawsuit, and while believing it had a good defense against all of the asserted claims, determined that a settlement was the best course of action. The plaintiff and class counsel believe the settlement is fair.

The settlement class consists of individuals who logged into the patient portal between January 1, 2020, and December 31, 2023. Claims may be submitted for a one-off $25 cash payment, and class members who submit a claim will receive a code to enroll in a Privacy Shield Pro product, which includes dark web watchlist, VPN in touch, password scan, private search functionality, password defense, digital vault, and data broker opt-out services. The final fairness hearing has been scheduled for December 18, 2025, and claims must be submitted by December 1, 2025.

The post Goshen Health & Hancock Health Settle Pixel Data Breach Lawsuits appeared first on The HIPAA Journal.

Florida’s Watson Clinic has agreed to pay $10,000,000 to settle class action litigation over a January 2024 data breach that affected 280,278 individuals. The hackers stole sensitive data, including digital images, and posted them on the dark web.

The Lakeland-based medical group serves approximately one million patients annually and employs around 1,600 team members and 350 physicians. Watson Clinic identified unauthorized access to its computer network on February 6, 2024, and the forensic investigation confirmed that hackers first gained access to its network on January 26.

The review of the exposed files confirmed that they contained the protected health information of current and former patients, including names, addresses, dates of birth, Social Security numbers, government identifiers, driver’s license numbers, financial account information, and medical information, including diagnoses, treatments, medical record numbers, and pre- and/or post-operative medically necessary images.

Watson Clinic received the results of the third-party file review in July 2024, announced the data breach in August 2024, and issued notifications to the affected individuals. Shortly thereafter, the first class action lawsuit was filed by plaintiff Charles Viviani in the U.S. District Court for the Middle District of Florida. A second class action lawsuit was filed by plaintiff David Thorpe in the same court, and the two complaints were consolidated in a single action – Viviani v. Watson Clinic, LLP. Additional notifications were mailed in February 2025 following a further investigation into the extent of the data breach.

The lawsuit asserted claims of negligence, breach of implied contract, breach of fiduciary duty, and violation of the Florida Deceptive and Unfair Trade Practices Act. Watson Clinic denies all material claims and contentions in the lawsuit and charges of wrongdoing or liability. While Watson Clinic believes it has a solid defense against all claims, the litigation would likely be protracted and expensive, and any litigation has inherent risks. Therefore, the decision was made to settle the lawsuit. Class counsel believes the settlement is in the best interests of all class members.

Watson Clinic has agreed to establish a $10,000,000 settlement fund, from which attorneys’ fees and expenses, service awards for the named plaintiffs, and settlement administration and notification costs will be deducted. The benefits for class members are considerable compared to many class action settlements, including cash payments of up to $75,000 for certain class members, based on the types of digital images posted on the dark web.

Class members who had one or more digital images published on the dark web will be sent a check without having to submit a claim. The compensation amounts are detailed in the table below. Class members are only eligible to receive one of the payments below, whichever is greater.

In addition to the one-off cash payments, class members may also submit a claim for the following benefits:

*The residual cash payments will be paid pro rata from the settlement fund once costs and expenses have been deducted, and digital image exposure cash payments and claims for reimbursement of losses have been paid. The funds will be divided equally between the class members electing to receive a residual cash payment. The cash payment will be a maximum of $50, but may be less, depending on the number of valid claims.

The deadline for objection to and exclusion from the settlement is January 6, 2025. The deadline for submitting a claim is February 5, 2025, and the final fairness hearing has been scheduled for March 9, 2025. Further information can be found on the settlement website: https://watsondatasettlement.com/

The post Watson Clinic Agrees to $10 Million Data Breach Settlement appeared first on The HIPAA Journal.

Omni Family Health, a network of 39 community health centers in Kern, Kings, Tulare, and Fresno counties in California, experienced a cyberattack in 2024. A $6.5 million settlement has recently been agreed to resolve the resultant class action litigation.

Omni Family Health experienced a cyberattack in February 2024 that caused a 5-day outage of its IT systems. The cyberattack was investigated at the time; however, no evidence was found to indicate that any patient data had been compromised in the incident. On August 7, 2024, Omni Family Health was made aware that a threat actor (Hunters International) had claimed to have compromised its network and had posted data allegedly stolen in the attack on the dark web.

Omni Family Health investigated and concluded that the data was real and issued notifications to the 468,344 affected individuals, who included current and former patients and employees. Data potentially stolen in the attack included names, addresses, Social Security numbers, dates of birth, health insurance information, and medical information. The affected individuals were notified about the data breach on October 10, 2024.

The first three class action lawsuits were filed in the Eastern District of California on October 20, 2024, and subsequently, 19 separate actions were filed in the Superior Court of the State of California, Kern County. All 21 actions were consolidated into a single action first in the Eastern District of California, and were then remanded to the Superior Court on January 14, 2025, with the case Pace v. Omni Family Health designated as the lead case.

Omni Family Health denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. Despite believing that it had good defenses to all of the claims, Omni Family Health moved to settle the litigation to avoid the time, expense, risk, exposure, inconvenience, and uncertainty of a trial and related appeals. Class counsel evaluated the costs, risks, and uncertainty of continuing with the litigation, and based on an analysis of comparable settlements, determined that the settlement was in the best interests of all class members. The settlement has recently been granted preliminary approval by the court, and the final fairness hearing has been scheduled for February 26, 2026.

Omni Family Health has agreed to establish a $6,500,000 settlement fund, from which attorneys’ fees and expenses (approximately $2.2 million), class representative awards ($1,500 per named plaintiff, totaling $30,000), and settlement notification and administration costs will be deducted. The remainder of the settlement will be used to pay benefits to the class members.

Class members may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. A claim may also be submitted for a pro rata cash payment, which has been calculated to be $105.56 per class member based on a 4% claim rate. All class members are also entitled to claim two years of single-bureau credit monitoring and identity theft protection services, and members of the California resident subclass may claim an additional pro rata cash payment of $100. The cash payments may be adjusted based on the number of valid claims received, and will be calculated after credit monitoring costs have been deducted from the settlement fund.

Omni Family Health has also agreed to implement changes to its business practices and make several security enhancements to prevent similar incidents in the future. The cost of those security enhancements will not be paid from the settlement fund. Individuals wishing to object to the settlement or exclude themselves have until December 5, 2025, to do so, and claims must be submitted by January 5, 2026.

The post $6.5 Million Settlement Resolves Omni Family Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

The Iowa-based healthcare company, CarePro Health Services, has agreed to pay $1.3 million to settle class action litigation stemming from a November 2023 cyberattack and data breach affecting up to 151,499 individuals.

The cyberattack that triggered the lawsuit was first identified by CarePro on November 16, 2023. Unauthorized individuals remotely accessed a system where unencrypted patient data was stored. Files containing patients’ protected health information were exfiltrated from the network before the intrusion was detected and blocked. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license numbers/state ID numbers, financial account information, and medical/health information. The affected individuals were offered complimentary credit monitoring and identity theft protection services.

A lawsuit was filed shortly after notifications were mailed to the affected individuals by CarePro patient Brandi Bell, individually and on behalf of similarly situated individuals. The lawsuit was soon followed by another complaint filed by Brandie Keegan, individually and on behalf of her minor child, and similarly situated individuals. The lawsuits were consolidated into a single complaint, Bell et al. v. C.R. Pharmacy Services, Inc. d/b/a CarePro Health Services – in the Iowa District Court for Linn County.

The lawsuit claimed that the plaintiffs suffered concrete injuries as a direct result of the data breach, including invasion of privacy, lost or diminished value of private information, lost time and opportunity costs, and loss of benefit of the bargain. The plaintiffs’ and class members’ personal and protected health information remain in the hands of cybercriminals, placing them at an increased risk of identity theft and fraud for years to come.

The plaintiffs claim that the data breach could have and should have been prevented, as the defendant failed to implement adequate and reasonable cybersecurity measures to protect patient data, recklessly maintaining patient information. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, invasion of privacy-intrusion upon seclusion, and violations of the Iowa Consumer Fraud Act and Iowa Personal Information Security Breach Protection Act.

CarePro denies all liability and wrongdoing and disagrees with all claims and contentions in the lawsuit. All parties agreed that further litigation, a trial, and any related appeals would likely be protracted and expensive and involve risks and uncertainties for all parties, so the decision was taken to settle the litigation. It took several months of negotiations; however, a settlement has been agreed upon that is acceptable to all parties.

The settlement includes three benefits for class members, which will be paid for from a $1,300,000 settlement fund after attorneys’ fees and expenses, class representative service awards, and settlement administration costs have been deducted.

A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member. In addition to or instead of a claim for reimbursement of losses, class members may claim a pro rata cash payment, which is expected to be $100 per class member. The cash payment will be adjusted upwards or downwards depending on the number of valid claims received.

All class members are also entitled to claim two years of three-bureau credit monitoring, dark web monitoring, and identity theft protection services. The cost of the credit monitoring services will be deducted from the settlement fund before the cash payments are calculated. The deadline for exclusion from and opting out of the settlement is December 3, 2025. Claims must be submitted by December 3, 2025, and the final fairness hearing has been scheduled for January 23, 2025.

The post CarePro to Pay $1.3 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Discovery Practice Management, a California-based healthcare provider, has agreed to settle a class action lawsuit stemming from a June 2020 breach of its email environment. An unauthorized third party accessed employee email accounts between June 22, 2020, and June 26, 2020, and obtained sensitive information relating to patients of the Authentic Recovery Center and Cliffside Malibu facilities in California. The data breach was reported to the HHS’ Office for Civil Rights as affecting up to 12,859 individuals.

Data potentially compromised in the incident included names, addresses, dates of birth, medical record numbers, patient account numbers, health insurance information, financial account/payment card information, Social Security numbers, driver’s license numbers, and clinical information, such as diagnosis, treatment information, and prescription information. It took almost a year for the emails to be reviewed and notification letters to be issued to the affected individuals.

In February 2021, a class action lawsuit – JeanPaul Magallanes, et al v. Discovery Practice Management, Inc. – was filed in response to the data breach by JeanPaul Magallanes that alleged that Discovery Practice Management failed to implement appropriate measures to safeguard sensitive data stored on its network, then failed to issue adequate and timely notification letters when its email environment was compromised.

The alleged cybersecurity failures included insufficient monitoring of inbound emails, insufficient training of its workforce on email-based threats, and the failure to encrypt a data server that became accessible to unauthorized individuals who compromised two employee email accounts. Despite the significant risk to the affected patients, it took 335 days from the date of discovery to issue notification letters, which the lawsuit claims violated HIPAA and the California Consumer Records Act.

The lawsuit claims the actions of the defendant violated the California Confidentiality of Medical Information Act, California Unfair Competition Law, and the California Consumer Records Act. All parties agreed to engage in settlement discussions to avoid the cost and risk of a trial, and a settlement has been agreed upon with no admission of wrongdoing by Discovery Practice Management. The settlement has recently been granted preliminary approval by Judge Glenda Sanders of the Superior Court of the State of California, for the County of Orange.

Under the terms of the settlement, all class members are entitled to claim a three-year membership to CyEx’s Identity Defense Total Service, and must enroll by December 9, 2025. In addition, claims may be submitted for reimbursement of documented, unreimbursed ordinary and extraordinary losses caused by the data breach. Claims for reimbursement of ordinary losses are capped at $250 per class member, and claims for reimbursement of extraordinary losses are capped at $1,000 per class member.

The deadline for objection to the settlement, exclusion from the settlement, and submitting a claim is November 24, 2025. The final fairness hearing has been scheduled for February 5, 2026.

The post Discovery Practice Management Settle Lawsuit Over 2020 Data Breach appeared first on The HIPAA Journal.

Data breaches have recently been identified by Sun Valley Surgery Center in Nevada and American Associated Pharmacies in Alabama.

Sun Valley Surgery Center

Sun Valley Surgery Center in North Las Vegas, Nevada, has identified unauthorized access to its computer network. Anomalous activity was identified within its information systems on September 3, 2025. The forensic investigation confirmed that an unauthorized third party accessed parts of its network where sensitive patient information was stored.

Data potentially compromised in the incident included names, contact information, dates of birth, Social Security numbers, driver’s license/state-issued identification numbers, passport/other government identification numbers, and health information such as health histories, diagnosis/treatment information, explanation of benefits, health insurance information, and/or MRN numbers/patient identification numbers. Sun Valley Surgery Center has implemented additional safeguards and technical security measures to prevent similar incidents in the future. Approximately 27,000 individuals were potentially affected.

American Associated Pharmacies

One of the largest independent pharmacy organizations in the United States has recently fallen victim to a ransomware attack that resulted in the encryption of data on its systems. Scottsboro, AL-based American Associated Pharmacies (AAP) identified suspicious activity, including file encryption, within its computer network on October 23, 2024. Immediate action was taken to contain and mitigate the incident, including shutting down all affected systems and changing passwords to prevent further unauthorized access. The forensic investigation confirmed that initial access occurred ten days prior to the attack on October 13, 2024.

Assisted by third-party cybersecurity professionals, AAP determined that before file encryption, the attackers exfiltrated files from its network. The review of those files has recently been completed, and individual notifications are now being mailed to the affected individuals. Data compromised in the incident varies from individual to individual and may include names, addresses, birth dates, Social Security numbers, passport numbers, driver’s license number/other government-issued identification numbers, bank/financial account numbers/routing numbers, clinical/treatment information, medical information, provider names, medical record numbers, health insurance information, prescription information and/or usernames and passwords.

Several steps have been taken to augment security to prevent similar incidents in the future, including implementing further monitoring tools and expanding the use of multifactor authentication. The affected individuals have been advised to monitor their free credit reports, account statements, and explanation of benefits statements for suspicious activity. Credit monitoring and identity theft protection services have been offered to certain individuals, according to the notification sent to the Maine Attorney General. That notification indicates 8,032 individuals have been affected, including 25 Maine residents.

The post Data Breaches Announced by Sun Valley Surgery Center & American Associated Pharmacies appeared first on The HIPAA Journal.

MedQ Inc., an administrative service provider serving the healthcare industry, has agreed to settle class action litigation over a December 2023 ransomware attack that affected 54,725 individuals.

A ransomware group accessed its network and deployed ransomware on or around December 26, 2023. The investigation confirmed unauthorized access to its network from December 20, 2023, and the exfiltration of data from its network. The stolen data included names, dates of birth, health information, health insurance information, Social Security numbers, and driver’s license numbers. Complimentary credit monitoring services were offered, but that was not sufficient to prevent several class action lawsuits.

Five lawsuits were filed in response to the data breach by plaintiffs Sharon Klepper, Shelby D. Franklin, Cheri Ramey, Jana Harrison, and Debra Everett, individually and on behalf of similarly situated individuals. The lawsuits had overlapping claims and were consolidated into a single action – Klepper, et al. v. MedQ, Inc. – in the District Court of Oklahoma County, Oklahoma, on May 13, 2024.

MedQ disagreed with all claims in the lawsuit and maintains there was no wrongdoing or liability. MedQ filed a motion to dismiss, and in the motion to dismiss briefing, all parties decided to explore early resolution of the action and scheduled mediation on December 20, 2024. Following a second attempt at mediation on April 25, 2025, the material terms of a settlement were agreed upon by all parties. The terms of the settlement have now been agreed and have received preliminary approval from the court.

The settlement provides class members with two years of three-bureau credit monitoring services, which include dark web monitoring, public records monitoring, medical identity monitoring, and identity theft insurance. In addition, class members may choose one of two cash benefits. A claim may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, plus a cash payment of up to $90 as compensation for lost time (up to 3 hours at $30 per hour) on tasks related to the data breach, such as changing passwords, investigating accounts, and researching the data breach.  Alternatively, class members may claim a one-time cash payment of $50.

The deadline for objection to and exclusion from the settlement is December 1, 2025. The deadline for submitting a claim is December 15, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post MedQ Agrees to Settlement to Resolve Ransomware Attack Lawsuit appeared first on The HIPAA Journal.

First Choice Dental, a network of 12 dental clinics in Dane and Madison counties in Wisconsin, experienced a ransomware attack on October 22, 2023. A settlement has recently been agreed to resolve litigation stemming from the data breach.

As reported by The HIPAA Journal in January 2024, First Choice Dental issued an interim notification about the incident, alerting patients to the exposure of some of their protected health information. At the time of issuing, the investigation into the cyberattack was ongoing. The HHS’ Office for Civil Rights was provided with an interim total of 1,000 affected individuals.

First Choice Dental explained that unauthorized network activity was first identified on October 22, 2023, but it had yet to be determined how many individuals had been affected or the types of data involved. On July 12, 2024, 9 months after the attack, individual notification letters started to be mailed. Patients were told that the compromised information included names, dates of birth, Social Security numbers, passport numbers, driver’s license numbers/government ID numbers, credit/debit card numbers, and health information. The HHS’ Office for Civil Rights breach portal still lists the data breach as affecting 1,000 individuals, although the breach was far more extensive than the breach portal suggests, affecting more than 159,000 individuals.

The first class action lawsuit over the data breach was filed by plaintiff Kelly Gorder on July 17, 2024, in the Dane County Circuit Court of the State of Wisconsin against FCDG Management, LLC, d/b/a First Choice Dental. A further six lawsuits were subsequently filed in response to the data breach, which were consolidated in a single action in the same court – Kelly Gorder, et al., v. FCDG Management, LLC d/b/a First Choice Dental.

According to the consolidated class action complaint, the data breach could have been prevented if First Choice Dental had implemented reasonable and appropriate safeguards and followed industry-standard data security practices. The lawsuit asserted claims of negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, breach of fiduciary duty, and violations of Wisconsin Statute § 146.82.

First Choice Dental denies the claims and contentions in the lawsuit and maintains there was no wrongdoing and no liability, and on January 6, 2025, sought to have the class action lawsuit dismissed in its entirety. That attempt was partially successful, with the court dismissing the claims of invasion of privacy and unjust enrichment, but the other claims were allowed to proceed. After considering the time and expense of litigation and the uncertainty of a trial and related appeals, all parties engaged in mediation on July 1, 2025, and the principal terms of a settlement were agreed upon. The settlement has now been finalized and has received preliminary approval from the court.

The settlement class consists of 159,145 individuals who were notified about the data breach. Those individuals are entitled to claim a three-year membership to the CyEx Medical Shield Monitoring product, which includes a $1 million identity theft insurance policy. In addition, class members may claim one of two benefits. A claim may be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach up to a maximum of $6,000 per class member. Alternatively, a one-time cash payment of $50 may be claimed.

Claims will be paid after settlement administration costs, attorneys’ fees and expenses, and service awards have been paid, along with $225,000 of security improvements. The total settlement costs, inclusive of the above, have been capped at $1,225,000. Claims will be prorated downward if that total is exceeded.

The deadline for submitting a claim is January 28, 2026, and the final fairness hearing has been scheduled for January 12, 2026. Individuals wishing to object to or exclude themselves from the settlement must do so by December 29, 2025. Further information can be found on the settlement website: https://www.fcdgdatasettlement.com/

The post First Choice Dental Agrees to Pay up to $1,225,000 to Settle Data Breach Lawsuit appeared first on The HIPAA Journal.

University of Tennessee Medical Center and Margaret Mary Community Hospital have both agreed to settle class action lawsuits over the use of tracking tools such as Meta Pixel on their websites.

University of Tennessee Medical Center

University of Tennessee Medical Center (UTMC) in Knoxville, Tennessee, has agreed to a settlement to resolve a class action lawsuit that alleged UTMC violated the Tennessee Consumer Protection Act by adding tracking technologies to its website, resulting in the unauthorized disclosure of patients’ personally identifiable health information to Meta, Google, and other third parties.

The lawsuit – Geoffrey Cavalier v. University Health Systems, Inc. d/b/a The University of Tennessee Medical Center – was filed in the Chancery Court for Knox County, Tennessee, and alleged that UTMC used tracking technologies such as Meta Pixel on its websites between January 1, 2015, and September 30, 2023. The plaintiffs allege that the tracking technologies collected and transmitted their personally identifiable information (PII) and protected health information (PHI) to third parties without their knowledge or consent.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, breach of implied contract, unjust enrichment, and violations of the Tennessee Consumer Protection Act, Tenn. Code Ann. § 47-18-101, et seq., and Tenn. Code Ann. § 39-13-601. UTMC denies all claims in the lawsuit, maintains there was no wrongdoing, and contends that no tracking code was added to its patient portal and no protected health information was disclosed to any third party via the utmedicalcenter.org website. After considering the costs and risks associated with continuing with the litigation and a jury trial, UTMC agreed to settle the lawsuit. The plaintiffs believe that the settlement is fair, reasonable, and adequate, and settling is in the best interests of all class members.

All class members, individuals who had a patient portal account between January 1, 2015, and September 30, 2023, may submit a claim for a cash payment of $25.00. All individuals who submit a timely and valid claim for a cash payment will also be provided with a complimentary Privacy Shield Pro membership, which includes dark web monitoring, a VPN, data broker opt-out, and other privacy services. The deadline for submitting a claim is December 9, 2025, and the final fairness hearing has been scheduled for December 8, 2025.

Margaret Mary Community Hospital

Margaret Mary Community Hospital in Batesville, Indiana, has settled a class action lawsuit that alleged unlawful use of tracking technologies on its website. The lawsuit claims that Meta Pixel and other tracking tools were used on its website between 2020 and 2023 without users’ knowledge or permission. The lawsuit alleges that adding those tools to the website caused patients’ personally identifiable information to be transferred to Meta and others.

The lawsuit asserted claims of negligence, negligence per se, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violation of the Indiana Deceptive Consumer Sales Act. Margaret Mary Community Hospital disagrees with all claims and contentions in the lawsuit and maintains that there was no wrongdoing; however, a settlement was agreed to avoid the costs and risks associated with a trial and related appeals.

All class members, individuals who logged into the Margaret Mary Community Hospital patient portal between January 1, 2020, and December 31, 2023, may claim a cash payment of $25.00 and a complimentary membership to a Privacy Shield Pro product. Individuals wishing to opt out of or object to the settlement must do so by November 15, 2025. Claims must be submitted by December 1, 2025, and the final fairness hearing has been scheduled for December 18, 2025.

The post University of Tennessee Medical Center & Margaret Mary Community Hospital Settle Meta Pixel Lawsuits appeared first on The HIPAA Journal.