The Christ Hospital in Cincinnati, Ohio, has agreed to pay up to $7 million to settle a consolidated class action complaint lawsuit over its use of tracking tools on its MyChart patient portal. Tracking tools are added to websites and record user data that can be used to improve the websites; however, these tools often transmit the collected data to third parties. The information can be linked with individual users and is often used for marketing and advertising purposes.

These tools are commonly used on websites and apps, but when used by healthcare providers, especially on websites that require users to log in, they can collect sensitive health data. If that information is transmitted to a third party without a valid business associate agreement in place, or if consent is not obtained to share the data with a third party, these tools violate HIPAA. Several class action lawsuits against healthcare providers have been resolved in recent weeks that alleged violations of federal and state laws related to the use of website tracking technologies, and Meta was found liable by a California Jury in one of the few such lawsuits to go to trial.

Three lawsuits were filed against The Christ Hospital over the use of these tracking tools, which were consolidated into a single action – In Re The Christ Hospital Pixel Litigation – in the Court of Common Pleas, Hamilton County, Ohio, as they had overlapping claims and were based on similar facts. The consolidated lawsuit alleged that The Christ Hospital encouraged its patients to use its website to book appointments, locate facilities, communicate symptoms, search for medical information and treatment options, sign up for classes, and access the patient portal to review health records, fill prescription refills, and complete medical forms.

The website included tracking tools such as pixels, web beacons, and cookies that collected sensitive data and disclosed it to Meta and Google. The information disclosed on the website could allow third parties to reasonably infer that a patient was being treated for a specific health condition, including cancer, pregnancy, or addiction. The plaintiffs allege that these tools were added to the website, collected data, and transmitted that information to third parties without their knowledge or consent.

The data collected by Meta Pixel was tied to individuals by their Facebook ID, and Google was sent data from Google Analytics code and could identify individuals via the Chrome Browser and Google devices, which made the intercepted data personally identifiable. The lawsuit claimed the use of the tools violated federal (HIPAA & the FTC Act) and state law (Ohio Wiretapping law, and the Ohio Consumer Sales Practices Act). The lawsuit also asserted claims of breach of confidence, invasion of privacy, breach of implied contract, unjust enrichment, and negligence.

The Christ Hospital maintains there was no wrongdoing; however, it chose to settle the litigation to avoid the risks and uncertainties associated with a trial. Under the terms of the settlement, The Christ Hospital will establish a $4,500,000 settlement fund to cover attorneys’ fees and expenses, settlement administration costs, service awards for class representatives, CyEx’s Privacy Shield Pro memberships, and cash payments. If, after covering all of those costs and expenses, there are insufficient funds remaining to pay class members a minimum of $37.50, then a further $2,500,000 will be added to the settlement fund. Should the $7 million total be exceeded, then claims will be subject to a pro rata reduction.

The Christ Hospital has also agreed to injunctive relief and will not transmit or otherwise permit Facebook to view or access individually identifiable health information and demographic information covered by HIPAA. That means any information related to past, present, or future physical or mental health or condition of an individual, which identifies that individual or could be used to identify that individual. The injunctive relief will apply to the Patient Portal, including forms and Health Risk Assessments, for a period of two years.

January 27, 2023: Lawsuit Alleges Christ Hospital Website Sent Patient Data to Meta

Earlier this month, a lawsuit was filed against The Christ Hospital in Cincinnati, OH, alleging third-party tracking code had been added to its website that was transmitting sensitive patient data to Meta and other third parties without obtaining authorization from patients.

An investigation by The Markup last summer revealed that one-third of the top 100 hospitals in the United States had Meta pixel tracking code on their websites, several of which were confirmed as having added the code to their password-protected patient portals. In some instances, the code was transmitting patient data to Meta, such as if website visitors were logged into their Facebook accounts while browsing the hospital websites. Tracking code is also provided by others, such as Google, which can similarly transmit data based on the interactions of users on websites.

Following the investigation, several healthcare organizations announced data breaches related to tracking technologies that have resulted in the impermissible disclosure of patient information. The HHS’ Office for Civil Rights recently issued guidance on the use of tracking technologies on hospital websites, confirming that these technologies have the potential to violate the HIPAA Rules, and the use of these technologies without patient authorizations or a business associate agreement is likely to be a reportable data breach. The Christ Hospital does not appear to have announced any such breach to date.

The lawsuit – Doe v. The Christ Hospital – was filed on January 10, 2023, by attorney James Eugene Burke III in Hamilton County Court but has since been moved to federal court. According to the lawsuit, The Christ Hospital website has a search engine that patients are encouraged to use to find physicians within its network, and patients can schedule appointments with those physicians online. The hospital website allegedly includes Meta Pixel and other third-party code, which collects information about the activities of website users and transmits that information to Meta and others, with the information potentially used to serve patients with targeted adverts on Facebook and other Meta platforms.

The lawsuit alleges patients who searched for cancer transmits, mental health care, and even sexually transmitted infections could be targeted with adverts related to their searches on the site. The lawsuit also alleges that third-party code was included on the MyChart patient portal, which could potentially transmit communications with physicians to third parties without patient authorization, in violation of the HIPAA Rules.

The lawsuit names Jane Doe as plaintiff and seeks class action status to cover all similarly affected patients. The lawsuit seeks a jury trial and damages in excess of $25,000. The Christ Hospital maintains it is not selling patient data to Meta or other third parties and is investigating the claims made in the lawsuit.

The post The Christ Hospital Agrees to Pay up to $7 Million to Resolve Pixel Litigation appeared first on The HIPAA Journal.