Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation

Posted by Steve Alder

Jefferson Healthcare has agreed to settle a class action lawsuit that alleged sensitive data was transmitted to third parties without patient consent due to its use of Meta Pixel and other tracking technologies on its website. Jefferson Healthcare serves residents of eastern Jefferson County on the Olympic Peninsula in Washington State. According to the lawsuit – Jane Doe et al. v. Jefferson County Public Hospital District No. 2 D/B/A Jefferson Healthcare – Jefferson Healthcare installed computer code, including Meta Pixel, on its website between March 19, 2020, and March 19, 2024.

The plaintiffs allege that the implementation of the code allowed their protected health information to be transmitted to third parties such as Facebook and Google without their knowledge or consent. The complaint was filed on March 19, 2024, and Jefferson Healthcare filed a motion to dismiss, which was granted in its entirety by Jefferson County Superior Court Judge Brandon Mack on July 24, 2024. On August 23, 2024, the plaintiff filed a Notice of Appeal with the Washington Court of Appeals.

The plaintiffs and the defendant agreed that a settlement was in the best interests of all parties to avoid the burden, expense, risk, and uncertainty of continuing the litigation. The terms of the settlement have now been agreed upon, and the settlement has received preliminary court approval. Under the terms of the settlement, class members are entitled to claim a voucher for a 12-month subscription to CyEx Privacy Shield, valued at $330.

Jefferson Healthcare has also agreed not to use Meta Pixel on its website for at least two years, unless it is determined that its use is consistent with applicable laws, and an affirmative disclosure is made in the privacy statement on its website that Meta Pixel is being used.  Jefferson Healthcare has agreed to pay attorneys’ fees of $125,000, awards of $2,500 for the class representatives, and will cover the settlement administration costs.

Class members wishing to exclude themselves or object to the settlement have until October 17, 2025, to do so. Claims for a voucher must be submitted by November 17, 2025, and the final approval hearing has been scheduled for December 5, 2025.

The post Jefferson Healthcare Agrees to Settle Meta Pixel Class Action Litigation appeared first on The HIPAA Journal.

California Business Associate Improperly Disposed of Patient Data

Posted by Steve Alder

Central Valley Regional Center, a Fresno, California-based state-funded provider of services to individuals with developmental disabilities, has notified patients about the recent exposure of physical documents containing their personal information. The number of affected individuals has yet to be announced.

Central Valley Regional Center employed a new vendor that provided janitorial services. In July, Central Valley Regional Center discovered that the company had been disposing of confidential documents along with regular trash. The documents had been placed in bins for confidential waste and should have been shredded. The vendor had been emptying the shredding bins and disposing of the documents in trash bags along with regular waste.

The investigation revealed that the improper disposal of documents occurred between March 2025 and July 2025 at one Central Valley Regional Center facility only. The documents likely included information such as names, addresses, dates of birth, other personal data, medical information, and Social Security numbers. The incident has been reported to law enforcement, the California Attorney General, the California State Department of Developmental Services, and all vendor contracts have been reviewed, along with policies relating to data privacy and security protocols.

Further, steps have been taken to prevent similar incidents in the future, including adding locks to all shredding bins, restricting access to shredding bits to its approved shredding service provider, revising janitorial service procedures to provide more explicit instructions on waste disposal, adding signage regarding proper waste disposal procedures, implementing routine audits to ensure compliance with internal policies and procedures, and affirming expectations regarding confidentiality and data protection with its vendors. The affected individuals have been notified by mail and have been offered identity protection services.

Improper disposal incidents are relatively rare, yet they can result in the exposure of large amounts of PHI. The incident should serve as a warning to other healthcare organizations about the importance of providing clear instructions to service providers about their responsibilities with respect to confidential information, including service providers who may encounter physical PHI.

The post California Business Associate Improperly Disposed of Patient Data appeared first on The HIPAA Journal.

Data Breaches Announced by Community Health Network; Mid South Rehab Services

Posted by Steve Alder

Cybercriminals have gained access to employee email accounts at Community Health Network in Indiana and Mid South Rehab Services in Mississippi and may have exfiltrated patient information.

Community Health Network, Indiana

Community Health Network, a non-profit health system with more than 200 locations and affiliates in Central Indiana, has recently notified 13,939 Indiana residents about a security incident involving unauthorized access to an employee’s email account. The intrusion was identified on February 26, 2025, and the threat was immediately contained. An investigation was launched to determine the nature and scope of the unauthorized activity, and it was confirmed that the breach was limited to a single email account, which was accessed by an unauthorized individual between February 25 and February 26, 2025.

The email account was reviewed, and on May 8, 2025, it was confirmed that the account contained patients’ protected health information. Following a comprehensive manual document review, on July 15, 2025, Community Health Network confirmed the number of individuals affected and the types of information involved. The exposed data was limited to names, dates of birth, medical information, and health insurance information, which was potentially copied from the email system. After verifying contact information, the affected individuals were notified by mail on September 12, 2025, and advised to remain vigilant against misuse of their data by checking their accounts, free credit reports, and explanation of benefits statements. Credit monitoring services do not appear to have been offered.

Mid South Rehab Services Inc., Mississippi

Mid South Rehab Services Inc., a Ridgeland, Mississippi-based provider of physical, occupational, and speech therapy services, has recently notified patients about a breach of its email environment. Unauthorized activity was identified in an employee’s email account on or around January 16, 2025. The email account was immediately secured, and an investigation was launched to determine the nature and scope of the activity. The investigation covered its entire email environment and confirmed that two email accounts had been accessed by an unauthorized third party.

The review of those accounts confirmed that emails and attachments contained patient information such as names, dates of birth, Social Security numbers, and medical/health information. The affected individuals have been advised to monitor their account statements, credit reports, and explanation of benefit statements for unusual activity. The data breach has been reported to regulators, but the incident is not yet shown on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Data Breaches Announced by Community Health Network; Mid South Rehab Services appeared first on The HIPAA Journal.