LCMC Health Agrees to Lawsuit Over Tracking Code on Patient Portal

Posted by Steve Alder

LCMC Health Holdings and Louisiana Children’s Medical Center have agreed to settle a lawsuit that alleged that tracking code added to its website and patient portal transmitted sensitive patient information to Facebook, Google, and others without patients’ knowledge or consent.

According to the lawsuit, Pebbles Martin v. LCMC Health Holdings, Inc. and Louisiana Children’s Medical Center, LCMC Health added Meta Pixel and other tracking tools to its website and patient portal, which tracked, recorded, and disclosed patients’ personal health information to Facebook, Google, and other third parties. The tools were able to track various metrics, including the pages visited, the buttons clicked, and specific information input into the website. The lawsuit alleged that the data transmitted by the tracking tools was used to serve website visitors with targeted advertisements and gain an intimate personal profile of patients without their knowledge or consent.

LCMC Health is one of many healthcare providers to add Meta Pixel and other tracking tools to their websites and patient portals. When widespread use of these tools by healthcare providers was identified, the HHS’ Office for Civil Rights issued guidance, warning that these tools likely violated the HIPAA Rules. The guidance was challenged in court, and a Judge sided with the plaintiffs, partially vacating the guidance. While these tools can be used on websites without violating the HIPAA Rules, they cannot be used on patient portals, unless the provider of the code signs a business associate agreement or HIPAA-compliant authorizations are obtained.

LCMC Health maintains there was no wrongdoing; however, to avoid the cost and uncertainty of protracted litigation, it agreed to a settlement to bring the litigation to an end. Under the terms of the settlement, class members will be given cash compensation along with a one-year membership to Cyex Privacy Shield Pro. Members of the settlement class, individuals who used the LCMC patient portal between January 1, 2019, and November 30, 2022, may submit a claim for a cash payment of $15 and will be automatically provided with a code to enroll in the Privacy Shield Pro service.

LCMC Health has also agreed to remove and refrain from using certain tracking technologies on its website and patient portal for a period of two years from the date of final approval of the settlement. The settlement has received preliminary approval, and the final approval hearing has been scheduled for November 7, 2025. Claims for the cash payment must be submitted by November 25, 2025, and individuals wishing to opt out of or exclude themselves from the settlement must do so by October 27, 2025.  Notifications about the settlement were mailed to class members on August 27, 2025.

The post LCMC Health Agrees to Lawsuit Over Tracking Code on Patient Portal appeared first on The HIPAA Journal.

Cyberattack on Coos County Family Health Services Exposed Patient Data

Posted by Steve Alder

Data breaches have recently been announced by Coos County Family Health Services in New Hampshire, Roush Fenway Keselowski Racing in North Carolina, and the University of North Carolina at Chapel Hill/UNC School of Medicine.

Coos County Family Health Services

Coos County Family Health Services, a primary care provider based in Berlin, New Hampshire, has recently announced a privacy incident that was identified on July 9, 2025, when suspicious activity was observed in its servers and phone systems. An investigation was launched, which confirmed that an unauthorized third party had access to its servers and phone systems on July 9, 2025, and may have copied data from those systems.

While ransomware was not mentioned in the notification letters, this appears to have been a ransomware attack. A ransomware group called RunSomeWarez claimed responsibility for the attack and added Coos County Family Health Services to its dark web data leak site. The group claims to have exfiltrated data. A ransom does not appear to have been paid.

Coos County Family Health Services reviewed the affected files and confirmed that they contained patient information such as names, dates of birth, contact information, Social Security numbers, medical information, and medical identification numbers. While no evidence has been found to suggest any misuse of the exposed data, complimentary credit monitoring and identity theft protection services have been offered to the affected individuals as a precaution.  Security policies and procedures have also been reviewed and enhanced to prevent similar incidents in the future.

Roush Fenway Keselowski Racing

Roush Fenway Keselowski Racing has recently announced that it was the victim of a cyberattack that resulted in unauthorized access to systems containing the protected health information of employee health plan members. Suspicious activity was identified within its computer environment on May 14, 2025, and third-party digital forensics experts were engaged to investigate the activity. The investigation confirmed that files were either accessed or copied from its network.

The files were reviewed, and on August 4, 2025, Roush Fenway Keselowski Racing confirmed that health plan member information was exposed, including names, addresses, dates of birth, Social Security numbers, driver’s license/state identification card numbers, health insurance subscriber numbers, passport numbers, health information, financial account information, health insurance information, health insurance claim information, and medical information. Up to 2,160 individuals were affected and have been offered complimentary identity monitoring services.

The University of North Carolina at Chapel Hill – School of Medicine

The University of North Carolina at Chapel Hill and the University of North Carolina Hospitals have announced a breach of an email account of a UNC School of Medicine employee. The investigation revealed the email account was accessed by an unauthorized third party following a response to a phishing email. The attacker used social engineering techniques to trick the employee into clicking a malicious link and disclosing their account credentials. The email appeared to have been sent by a trusted source.

The breach was detected on July 24, 2025, and was remediated within 15 hours of the unauthorized access; however, during that time, the attacker potentially viewed or acquired the electronic protected health information of patients.  The potentially compromised information included names, dates of birth, diagnosis and treatment information, Social Security numbers, driver’s license numbers, financial information, health insurance information, and/or information about a research study that the individuals were involved in or eligible to participate in.

Notification letters were mailed to the affected individuals on September 19, 2025, and complimentary credit monitoring has been offered to individuals whose Social Security numbers, driver’s license numbers, financial information, and/or health insurance information were involved. The data breach was reported to the HHS Office for Civil Rights by the University of North Carolina at Chapel Hill – School of Medicine as affecting 799 individuals, and UNC Hospitals as affecting 6,377 individuals.

The post Cyberattack on Coos County Family Health Services Exposed Patient Data appeared first on The HIPAA Journal.