Skagit County Public Hospital District No. 1, doing business as Skagit Regional Health, the operator of Skagit Regional Hospital in Mount Vernon, Washington, has agreed to settle class action litigation stemming from its use of Meta Pixel and other tracking tools on its website, which may have disclosed patient information to third parties.

Like many hospital operators, Skagit Regional Health added tracking technologies such as Meta Pixel to its website. These tools track user activity on websites, such as the pages visited and time spent on each page; however, they can collect a range of information that can be tied to individuals via various identifiers, including IP addresses. The data collected by these tools is typically transmitted to the providers of these tools, and in the case of Meta Pixel, the data can be used to serve targeted advertisements.

On November 8, 2024, a lawsuit was filed in Skagit County Superior Court in Washington by Dave Suther – Dave Suther v. Skagit County Public Hospital District No. 1, d/b/a Skagit Regional Hospital – alleging the defendant had used tracking tools on the hospital website which collected and transmitted protected health information to Meta and other third parties without the knowledge or consent of website users. The lawsuit asserted claims of negligence, negligence per se, invasion of privacy-intrusion upon seclusion, invasion of privacy-disclosure of private facts, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of both the Washington Consumer Protection Act and the Washington Privacy Act.

The defendant denies any wrongdoing or liability and believes it would prevail at summary judgment; however, after taking into account the costs, time, and distraction of continuing with the litigation and the uncertainty and risks associated with any litigation, it agreed to engage in settlement discussions. A settlement has now been agreed that is acceptable to all parties, and the settlement has received preliminary approval from the court. Under the terms of the settlement, Skagit Regional Health has agreed to cover the cost of attorneys’ fees and expenses, settlement administration costs, class representative awards, and a cash payment of $20 for all class members.

The class consists of individuals who were patients of Skagit Regional Hospital who navigated to, signed up for, logged in, or used its patient portal between May 1, 2021, and September 5, 2025. Individuals wishing to object to the settlement or exclude themselves must do so by November 3, 2025. Claims for cash payments must be submitted by November 3, 2025, and the final fairness hearing has been scheduled for November 21, 2025. Further information can be found on the settlement website: https://www.sutherpixelsettlement.com/

The post Skagit Regional Health Settles Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Reid Hospital & Health Care Services, Inc., doing business as Reid Health, in Richmond, Indiana, has agreed to a settlement to resolve class action litigation over the alleged use of Meta Pixel and other tracking tools on its website.

According to the lawsuit, Jane Doe v. Reid Health, filed in Wayne County Superior Court, State of Indiana, Reid Health impermissibly disclosed patients’ protected health information to third-party technologies without patients’ knowledge or consent. Metal Pixel and other tracking tools can collect information about website users based on their interactions on a website where the tracking code is installed. That information can be linked to individuals via their IP address, and if they are logged into certain accounts at the time of the visit. The tracking tools can collect information about the web pages visited, searches performed on the site, and information selected in drop-down boxes. That information can reveal sensitive information about individuals and may be used by third parties to serve them with targeted advertisements.

According to the lawsuit, using these tools without alerting website users amounted to negligence. The lawsuit also asserted claims of negligence per se, unjust enrichment, breach of fiduciary duty, invasion of privacy, and a violation of the Indiana Deceptive Consumer Sales Act. Reid Health vigorously denies the disclosure of any personally identifiable information to Meta or other third parties without permission and maintains that there was no wrongdoing whatsoever. Reid Health disputes that it committed, or threatened, or attempted to commit any wrongful act or violation of any law. Reid Health believes that if the lawsuit were to proceed to summary judgment or trial, it would be successful; however, after considering the cost, uncertainty, and risks inherent in any litigation, the decision was taken to settle the lawsuit.

Following mediation, all parties agreed upon a suitable settlement that provides monetary relief and membership to a medical shield product. Class members may submit a claim for a cash payment of $25 and will automatically receive a code to enroll in the medical shield product, which protects against misuse of the class members’ personal information. Notifications about the settlement were mailed on September 25, 2025, and class members have until October 25, 2025, to object to or exclude themselves from the settlement. Claims for a cash payment and Medical Shield membership must be submitted by December 24, 2025, and the final fairness hearing has been scheduled for December 9, 2025.

The post Reid Health Settles Meta Pixel Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

EyeMed Vision Care has agreed to pay $5 million to settle a class action lawsuit stemming from a June 2020 data breach.  The data breach was identified by EyeMed Vision Care on July 1, 2025, when suspicious activity was observed in an employee’s email account. An employee had responded to a phishing email, allowing their email account to be accessed on June 24, 2020. Between June 24, 2020, and July 1, 2020, the threat actor used the account to send around 2,000 phishing emails.

The investigation revealed the account contained emails dating back 6 years. Those emails included the personal and protected health information of 2.1 million individuals. Data compromised in the incident included names, contact information, dates of birth, Social Security numbers, vision insurance account/identification numbers, medical diagnoses and conditions, and treatment information.

The first class action lawsuit in response to the data breach was filed in January 2021 by plaintiff Chandra Tate, which was followed by a second class action lawsuit around a week later. The two lawsuits were consolidated – Tate, et al. v. EyeMed Vision Care, LLC – as they had overlapping claims. The lawsuits asserted claims of negligence, negligence per se, breach of implied contract, unjust enrichment, and violations of California’s unfair competition law, the California Confidentiality of Medical Information Act, and the California Consumer Privacy Act.

EyeMed Vision Care filed a motion to dismiss; however, only the negligence claim was dismissed, and all other claims were allowed to proceed. EyeMed Vision Care denies all claims and contentions in the lawsuit, maintains there was no wrongdoing, and denies that it has any liability; however, it has agreed to settle the lawsuit to avoid the costs, risks, and uncertainty of continuing with the litigation.

In June 2024, all parties engaged in mediation, and a settlement was ultimately agreed upon that was acceptable to all parties. The settlement has now received preliminary approval from Judge Douglas R. Cole of the U.S. District Court for the Southern District of Ohio, Western Division. Under the terms of the settlement, EyeMed Vision Care will establish a $5 million settlement fund to cover attorneys’ fees and expenses, settlement administration costs, and service awards. The remainder of the settlement fund will be used to pay benefits to the class members.

Class members may choose to receive a $50 cash payment, which may be increased or decreased depending on the number of valid claims received.  In addition, a claim may be submitted for up to four hours of lost time at $25 per hour (max $100) for time spent dealing with issues associated with the data breach. A claim may also be submitted for reimbursement of documented, unreimbursed out-of-pocket expenses due to the data breach, up to a maximum of $10,000 per class member, including any claim for lost time. Claims are subject to a pro rata reduction should the $5,000,000 cap on payments be reached.

EyeMed has also agreed to make changes to its business practices, including enhancing authorization requirements, providing additional security awareness training to the workforce, updating its internal password reset requirements, conducting audits for weak passwords, enhancing its multifactor authentication requirements, shortening the mailbox data retention period, and engaging a third-party vendor to conduct an updated HIPAA risk assessment. Individuals wishing to object to or exclude themselves from the settlement must do so by November 11, 2025. The deadline for submitting a claim is December 11, 2025, and the final fairness hearing has been scheduled for January 7, 2026.

This was not the only EyeMed Vision Care settlement to be reached over the data breach. In January 2022, the New York Attorney General announced that EyeMed Vision Care had agreed to pay a $600,000 fine to resolve alleged violations of New York General Business Law, and later that year, the New York State Department of Financial Services (DFS) fined EyeMed Vision Care $4.5 million for alleged violations of the DFS Cybersecurity Regulation. In 2023, a multi-state data breach investigation involving the Oregon, New Jersey, Florida, and Pennsylvania Attorneys General was settled with a $2.5 million penalty. This $5 million class action settlement takes the settlement total up to $12,600,000.

The post EyeMed Vision Care Agrees to Pay $5 Million to Settle Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Individuals who used SSM Health’s MyChart patient portal when tracking tools were active are entitled to claim a cash payment and a 12-month membership to a digital privacy and identity protection service to compensate them for having their personal and health data disclosed to third parties such as Meta and Google.

The settlement resolves all claims in the lawsuit, Jane Doe v. SSM Health Care Corporation, d/b/a SSM Health, which was filed in the Circuit Court for the City of St. Louis in the State of Missouri on December 5, 2022. The lawsuit alleged that SSM Health added Meta Pixel and other third-party tracking technologies on its MyChart patient portal, which collected and transmitted protected health information to third-party tracking vendors, including their status as patients, their physicians, health conditions, treatments, facilities visited, and other sensitive data, without their knowledge or consent.

Tracking tools are used extensively across the internet and track user activity on websites. The data collected by these tools can be used for advertising and marketing purposes. In healthcare, if these tools are used on authenticated web pages such as patient portals, they can collect sensitive health data and transmit that information to technology vendors. Such disclosures violate HIPAA unless a business associate agreement is obtained or valid HIPAA authorizations.

The plaintiff alleged that SSM Health’s use of these tools amounted to negligence. The lawsuit also asserted claims of invasion of privacy – intrusion upon seclusion, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud and Deceptive Practices Act. SSM Health denies all claims and contentions in the lawsuit and maintains there was no wrongdoing; however, a settlement was agreed to bring the litigation to an end to avoid the costs, risks, and uncertainty of a jury trial. Class counsel and the plaintiff believe the settlement is fair.

Under the terms of the settlement, users who logged into the SSM Health MyChart patient portal between July 6, 2020, and February 10, 2023, when tracking tools were installed, are entitled to claim a 12-month membership to the CyEx Privacy Shield Pro service, which provides dark web monitoring, data broker opt-out, and identity protection services. In addition, class members may submit a claim for a cash payment of $31.50.

The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 21, 2025. Individuals wishing to opt out of or exclude themselves from the settlement have until October 27, 2025, to do so, and claims must be submitted by November 25, 2025. Further information can be found on the settlement website: https://ssmhealthdatasettlement.com/

The post SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit appeared first on The HIPAA Journal.

A class action lawsuit against Hospital Sisters Health System has been settled for $7.6 million. The lawsuit relates to an August 2023 cyberattack that affected approximately 883,000 individuals. The cyberattack caused an outage of computer systems, phone lines, and websites, and its MyChart and MyPrevea applications were taken offline for several days, leaving the health system unable to take payments. The investigation confirmed that the threat actor accessed systems containing patient and employee information between August 16, 2023, and August 27, 2023, and potentially exfiltrated data. Notification letters started to be mailed to the affected individuals on October 26, 2023.

Several class action lawsuits were filed against Hospital Sisters Health System in response to the data breach. Since they had overlapping claims and were based on the same facts, the lawsuits were consolidated into a single action – In re Hospital Sisters Health System Data Breach Litigation, in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.

The lawsuit alleged that Hospital Sisters Health System was negligent because it failed to implement reasonable and appropriate security measures to protect its network and patient and employee data from unauthorized access, and had those measures been implemented, the data breach could have been prevented. Hospital Sisters Health System denies all claims asserted in the lawsuit and denies all allegations of wrongdoing and liability. Class counsel and the plaintiffs believe that the legal claims asserted in the lawsuit have merit.

After assessing the strengths and weaknesses of the case, the plaintiffs and defendants moved to settle the litigation to avoid the burden, expense, risk, and uncertainty of continued litigation. Class counsel and the plaintiffs believe that the settlement is fair and provides substantial benefits for the settlement class. Under the terms of the settlement, all class members are entitled to enroll in financial data monitoring services for two years. The CyEx Financial Shield package includes fraud and identity monitoring, including monitoring for unauthorized financial transactions and compromised bank and financial account numbers. Class members will also benefit from a $1 million financial fraud insurance policy.

Class members are also eligible to claim one of two cash benefits. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member.  Alternatively, they can submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees, expenses, settlement administration costs, class representative awards, financial data monitoring costs, and claims have been paid.

The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 4, 2025. Class members wishing to object to the settlement or exclude themselves must do so by November 14, 2025, and the deadline for submitting a claim is November 14, 2025.

The post Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million appeared first on The HIPAA Journal.

A settlement has been finalized to resolve a litigation against Flo Health, Inc., Google LLC, and Flurry, Inc., over the use of tracking code on Flo Health’s fertility tracking app. Under the terms of the settlement, the defendants will pay almost $60 million to cover legal costs, expenses, and benefits for the plaintiffs and class members.

The Flo Health app is one of the most popular health and wellness apps and has over 38 million monthly users. Prior to using the app, users are asked a series of personal questions about their general, sexual, and gynecological health and menstrual cycles. Further questions are asked as use of the app continues, with the answers used to provide tailored health and wellness advice. Users are told that their information will remain private and confidential and will not be shared with any third parties unless consent is provided, yet code within the app (software development kits) shared that data with the defendants, without the knowledge or consent of app users.

Several lawsuits were filed against Flo Health and the other defendants, which were consolidated into a single action due to the actions having overlapping claims – Erica Frasco, et al v. Flo Health, Inc., Meta Platforms, Inc., Google, LLC, and Flurry, Inc. The lawsuit alleged common law invasion of privacy – intrusion upon seclusion, invasion of privacy, violation of the California Constitution, breach of contract, breach of implied contract, unjust enrichment, and violations of the Stored Communications Act, California Confidentiality of Medical Information Act, Cal. Bus & Prof. Code, and the comprehensive Computer Data Access and Fraud Act.

Meta Platforms Inc. was also a named defendant; however, Meta chose not to settle, and the case proceeded to a jury trial. The jury sided with the plaintiffs and found that Meta was in violation of the California Invasion of Privacy Act. Meta Platforms intends to file an appeal. While the settlement was announced in July, the details have only recently been provided to Judge James Donato in the U.S. District Court for the Northern District of California, San Francisco Division. Under the terms of the settlement, $59.5 million will be paid by the defendants: Google has agreed to pay $48 million, Flo Health will pay $8 million, and Flurry will pay $3.5 million. Flo Health has also committed to ensuring app users’ privacy, and will display a prominent notice on its website to that effect for a period of one year following final approval of the settlement.

Attorneys for the plaintiffs will receive one-third of the settlement amount, which will also cover legal expenses, settlement administration costs, and service awards for the eight named plaintiffs. The remainder of the settlement will be used to pay for benefits for the class members. The class consists of all app users who used the app between November 1, 2016, and February 28, 2019.

The post Flo Health; Google; Flurry to Pay $59.5M to Settle Privacy Lawsuit appeared first on The HIPAA Journal.

Bayhealth Medical Center in Dover, Delaware, has agreed to settle a proposed class action lawsuit stemming from a 2024 ransomware attack. The attack was detected on July 31, 2024, when suspicious activity was observed within its computer network. The forensic investigation determined that the threat actor had access to its systems from July 27 to July 31, 2024, and that files were exfiltrated during the attack. The data breach was reported to the HHS’ Office for Civil Rights on October 14, 2024, as involving the electronic protected health information of 497,047 individuals. The stolen files contained patients’ names, medical information, and Social Security numbers. The Rhysida ransomware group claimed responsibility for the attack and uploaded samples of the stolen data to its dark web data leak site, including identification documents, Social Security numbers, contact information, and other sensitive patient data.

Rhysida is a ransomware-as-a-service group that has been in operation since at least 2023. The group engages in double extortion tactics, demanding payment for the decryptor and to prevent the publication or sale of stolen data. Rhysida often states that stolen data will be auctioned to the highest bidder, only leaking the data if a buyer cannot be found. The lawsuit claims that Rhysida demanded a 25 Bitcoin ransom, which at the time was valued at approximately $1.4 million, and gave a payment deadline of August 14, 2024.

Bayhealth was quick to notify patients about the incident, adding a notice to its Facebook page on August 3, 2024. Then, on August 7, 2024, the CEO of Bayhealth confirmed publicly that the company was aware of Rhysida’s claim of data theft and the posting of certain data on the group’s data leak site. Bayhealth patient Sally Cannon Dunlop discovered in August 2024 that some of her ePHI had been published on the dark web, which she believed came from the attack on Bayhealth. Later that month, she filed a lawsuit individually and on behalf of other similarly situated individuals, alleging negligence, negligence per se, breach of implied contract, invasion of privacy, unjust enrichment, and breach of fiduciary duty, seeking compensatory, exemplary, punitive damages, and statutory damages.

Dunlop alleges that Bayhealth failed to implement reasonable and appropriate safeguards to protect patient data, and that the ransomware attack was the latest in a string of hacking-related data breaches that were a result of a failure of Bayhealth to follow FTC guidelines and comply with the HIPAA Rules. Bayhealth denies any wrongdoing; however, last month, following mediation, it agreed to settle the litigation. The details of the settlement are being finalized, and the settlement agreement is due to receive preliminary approval in early October.

The post Bayhealth Medical Center Agrees to Settle 2024 Data Breach Lawsuit appeared first on The HIPAA Journal.

LCMC Health Holdings and Louisiana Children’s Medical Center have agreed to settle a lawsuit that alleged that tracking code added to its website and patient portal transmitted sensitive patient information to Facebook, Google, and others without patients’ knowledge or consent.

According to the lawsuit, Pebbles Martin v. LCMC Health Holdings, Inc. and Louisiana Children’s Medical Center, LCMC Health added Meta Pixel and other tracking tools to its website and patient portal, which tracked, recorded, and disclosed patients’ personal health information to Facebook, Google, and other third parties. The tools were able to track various metrics, including the pages visited, the buttons clicked, and specific information input into the website. The lawsuit alleged that the data transmitted by the tracking tools was used to serve website visitors with targeted advertisements and gain an intimate personal profile of patients without their knowledge or consent.

LCMC Health is one of many healthcare providers to add Meta Pixel and other tracking tools to their websites and patient portals. When widespread use of these tools by healthcare providers was identified, the HHS’ Office for Civil Rights issued guidance, warning that these tools likely violated the HIPAA Rules. The guidance was challenged in court, and a Judge sided with the plaintiffs, partially vacating the guidance. While these tools can be used on websites without violating the HIPAA Rules, they cannot be used on patient portals, unless the provider of the code signs a business associate agreement or HIPAA-compliant authorizations are obtained.

LCMC Health maintains there was no wrongdoing; however, to avoid the cost and uncertainty of protracted litigation, it agreed to a settlement to bring the litigation to an end. Under the terms of the settlement, class members will be given cash compensation along with a one-year membership to Cyex Privacy Shield Pro. Members of the settlement class, individuals who used the LCMC patient portal between January 1, 2019, and November 30, 2022, may submit a claim for a cash payment of $15 and will be automatically provided with a code to enroll in the Privacy Shield Pro service.

LCMC Health has also agreed to remove and refrain from using certain tracking technologies on its website and patient portal for a period of two years from the date of final approval of the settlement. The settlement has received preliminary approval, and the final approval hearing has been scheduled for November 7, 2025. Claims for the cash payment must be submitted by November 25, 2025, and individuals wishing to opt out of or exclude themselves from the settlement must do so by October 27, 2025.  Notifications about the settlement were mailed to class members on August 27, 2025.

The post LCMC Health Agrees to Lawsuit Over Tracking Code on Patient Portal appeared first on The HIPAA Journal.