SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit – The HIPAA Journal
SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit The HIPAA Journal
SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit
Individuals who used SSM Health’s MyChart patient portal when tracking tools were active are entitled to claim a cash payment and a 12-month membership to a digital privacy and identity protection service to compensate them for having their personal and health data disclosed to third parties such as Meta and Google.
The settlement resolves all claims in the lawsuit, Jane Doe v. SSM Health Care Corporation, d/b/a SSM Health, which was filed in the Circuit Court for the City of St. Louis in the State of Missouri on December 5, 2022. The lawsuit alleged that SSM Health added Meta Pixel and other third-party tracking technologies on its MyChart patient portal, which collected and transmitted protected health information to third-party tracking vendors, including their status as patients, their physicians, health conditions, treatments, facilities visited, and other sensitive data, without their knowledge or consent.
Tracking tools are used extensively across the internet and track user activity on websites. The data collected by these tools can be used for advertising and marketing purposes. In healthcare, if these tools are used on authenticated web pages such as patient portals, they can collect sensitive health data and transmit that information to technology vendors. Such disclosures violate HIPAA unless a business associate agreement is obtained or valid HIPAA authorizations.
The plaintiff alleged that SSM Health’s use of these tools amounted to negligence. The lawsuit also asserted claims of invasion of privacy – intrusion upon seclusion, breach of implied contract, breach of fiduciary duty, unjust enrichment, and a violation of the Illinois Consumer Fraud and Deceptive Practices Act. SSM Health denies all claims and contentions in the lawsuit and maintains there was no wrongdoing; however, a settlement was agreed to bring the litigation to an end to avoid the costs, risks, and uncertainty of a jury trial. Class counsel and the plaintiff believe the settlement is fair.
Under the terms of the settlement, users who logged into the SSM Health MyChart patient portal between July 6, 2020, and February 10, 2023, when tracking tools were installed, are entitled to claim a 12-month membership to the CyEx Privacy Shield Pro service, which provides dark web monitoring, data broker opt-out, and identity protection services. In addition, class members may submit a claim for a cash payment of $31.50.
The settlement has received preliminary approval from the court, and the final fairness hearing is scheduled for November 21, 2025. Individuals wishing to opt out of or exclude themselves from the settlement have until October 27, 2025, to do so, and claims must be submitted by November 25, 2025. Further information can be found on the settlement website: https://ssmhealthdatasettlement.com/
The post SSM Health Agrees to Settle MyChart Patient Portal Tracking Lawsuit appeared first on The HIPAA Journal.
Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations – The HIPAA Journal
Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations – The HIPAA Journal
Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations
A $182,000 settlement has been agreed between the HHS’ Office for Civil Rights and five Delaware healthcare providers to resolve alleged violations of the HIPAA Privacy and HIPAA Breach Notification Rules. The settlement concerns the posting of patients’ protected health information (PHI) on social media without first obtaining HIPAA-compliant authorizations to use PHI for a purpose not expressly permitted by the HIPAA Privacy Rule, then failing to notify individuals about the impermissible use and disclosure.
Cadia Healthcare is a provider of rehabilitation, skilled nursing, and long-term care services at five facilities in Delaware. Those facilities are Cadia Rehabilitation Broadmeadow in Middletown, Cadia Rehabilitation Renaissance in Millsboro, Cadia Rehabilitation Capital in Dover, and Cadia Rehabilitation Pike Creek and Cadia Rehabilitation Silverside in Wilmington, collectively referred to as the Cadia Healthcare Facilities (Cadia).
Each of the Cadia facilities is a HIPAA-covered entity that is required to comply with the HIPAA Rules. OCR launched an investigation after receiving a complaint on September 20, 2021, about an alleged impermissible disclosure of PHI online. The complainant alleged that Cadia had used their photograph, name, and information about their condition, treatment, and recovery in an online post but had not obtained authorization to use the information for that purpose.
OCR’s investigation substantiated the allegation and determined that a Cadia employee had posted the patient’s PHI to Cadia’s social media page as part of a success story; however, a signed authorization form had not been obtained prior to that use and disclosure. Under HIPAA, PHI cannot be posted online on websites or social media pages unless a HIPAA-compliant authorization has been obtained from an individual in advance.
OCR notified Cadia about the allegations and the findings of the investigation, and Cadia removed the post and notified the patient that the success story had been removed. OCR also identified other patients whose treatment had been included in a series of success stories. As of February 22, 2022, Cadia had created and posted success stories containing the PHI of 150 patients without obtaining valid HIPAA authorizations. According to OCR, Cadia shut down the success story program in March 2022, but failed to issue notifications to the affected individuals, as required by the HIPAA Breach Notification Rule.
“The internet and social media are important business development tools. But before disclosing PHI through social media or public-facing websites, covered entities and business associates should ensure that the HIPAA Privacy Rule permits the disclosure,” said OCR Director Paula M. Stannard. “Generally, a valid, written HIPAA authorization from an individual is necessary before a covered entity or business associate can post that individual’s PHI in a website testimonial or through a social media campaign.”
In April 2025, OCR entered into a settlement agreement with Cadia to resolve the alleged violations of the HIPAA Rules. The alleged violations related to two Privacy Rule and one Breach Notification Rule provisions:
- 45 C.F.R. § 164.530(c) – The failure to implement appropriate administrative, technical, and physical safeguards to protect the privacy of PHI and reasonably safeguard PHI from any intentional or unintentional use or disclosure.
- 45 C.F.R. § 164.502(a) – The impermissible use or disclosure of PHI
- 45 C.F.R. § 164.404(a) – The failure to issue timely breach notifications
In addition to paying the financial penalty, the settlement agreement includes a corrective action plan (CAP). Cadia will be monitored for compliance with the CAP for 2 years. The corrective action plan requires Cadia to review and revise, as necessary, its policies and procedures to ensure compliance with the HIPAA Rules. Those policies and procedures must be distributed to the workforce, and HIPAA training must be provided to workforce members. Policies and procedures must be reviewed at least annually and updated as necessary to ensure continued HIPAA compliance. Cadia is also required to issue breach notifications concerning the impermissible disclosures of PHI under the success story program.
Notifications have already been issued, and the Cadia websites currently display a notice about the privacy violations. Cadia confirmed that it had policies and procedures in place requiring patients to sign a written consent form prior to using their information in its success story program. “On February 22, 2022, we learned that one or more of these success stories may have been posted without a valid consent form on file for the patient highlighted in the story. We promptly launched an investigation, removed all success stories from our social media pages, and on March 2, 2022, eliminated the success story program in its entirety,” explained Cadia in its substitute breach notice. “Because we deleted all success stories in 2022, we were unable to definitively determine all individuals who participated in the success story program. Accordingly, out of an abundance of caution, we are notifying individuals who may have participated and for whom we could not locate a valid consent form.”
This is the 20th HIPAA penalty to be imposed by OCR to resolve violations of the HIPAA Rules so far in 2025, making it one of the most active years of HIPAA enforcement. So far this year, OCR has collected more than $8.2 million in civil monetary penalties and settlements.
The post Delaware Rehab Facilities Settle Social Media and Breach Notification HIPAA Violations appeared first on The HIPAA Journal.
A former employee alleged Verily violated HIPAA. What healthcare marketers should know about the claims – Medical Marketing and Media
A former employee alleged Verily violated HIPAA. What healthcare marketers should know about the claims Medical Marketing and Media
HHS’ Office for Civil Rights Settles HIPAA Investigation of Cadia Healthcare Facilities for Disclosure of Patients’ Protected Health Information – HHS.gov
Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions
The Department of Health and Human Services Office for Inspector General (HHS-OIG) has announced two settlements with healthcare providers to resolve alleged violations of the Emergency Medical Treatment and Labor Act (EMTALA) due to the failure to provide adequate medical screening examinations and stabilizing treatment to patients with emergency mental health complaints.
EMTALA requires Medicare-participating hospitals to provide a medical screening examination to anyone seeking treatment for a potential emergency medical condition, regardless of their ability to pay. Stabilizing treatment must be provided to the patient, or the patient may be transferred to another facility if the hospital is unable to provide stabilizing treatment within its capabilities.
North Carolina Baptist Hospital (NCBH) was investigated by HHS-OIG and was found to have violated EMTALA on two occasions in August 2021. A patient presented at the Emergency Department requesting a psychiatric evaluation, a psychotropic medication refill, and complained of back pain at an 8/10 level. The patient was triaged and found to have abnormal vital signs. Around four hours later, NCHB’s records showed that the patient left the facility without being seen. Two days later, the patient returned to the ED two days after jumping off a bridge and being hit by a truck, and later died from the injuries.
The same month, a patient with a history of schizoaffective disorder, bipolar disorder, and depression presented to the hospital with psychological issues, having arrived by ambulance due to a psychiatric disturbance. In the ED, the patient experienced auditory hallucinations and made bizarre, illogical statements. The patient was given intravenous fluids and was discharged home the following day, without having been given a detailed psychiatric evaluation. At the time of discharge, the patient refused to leave and claimed she could not walk or see. After speaking with a doctor, she was given a bus token and was escorted off the premises by a security guard. After her mother called the hospital to inquire about her whereabouts, the patient was found in a hospital robe at a bus stop. Around one week later, the patient was involuntarily committed to a psychiatric facility. NCBH settled the alleged EMTALA violations and paid a $200,000 financial penalty.
Swedish American Hospital (SAH) in Rockford, Illinois, was investigated over an alleged EMTALA violation in 2024 when a patient was not provided with appropriate medical screening after presenting at the hospital’s Emergency Department, complaining of suicidal ideation. The previous day, SAH referred the patient to a mental health professional at an outpatient facility, who signed a petition for involuntary admission. The patient presented at the hospital with the petition; however, the patient did not receive an appropriate medical screening examination, was not provided with stabilizing treatment, and was discharged two hours after presenting at the hospital. SAH settled the alleged violation with HHS-OIG and paid a $100,000 financial penalty.
The post Hospitals Settle EMTALA Violations After Failing to Screen and Treat Patients With Emergency Mental Health Conditions appeared first on The HIPAA Journal.
Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million
A class action lawsuit against Hospital Sisters Health System has been settled for $7.6 million. The lawsuit relates to an August 2023 cyberattack that affected approximately 883,000 individuals. The cyberattack caused an outage of computer systems, phone lines, and websites, and its MyChart and MyPrevea applications were taken offline for several days, leaving the health system unable to take payments. The investigation confirmed that the threat actor accessed systems containing patient and employee information between August 16, 2023, and August 27, 2023, and potentially exfiltrated data. Notification letters started to be mailed to the affected individuals on October 26, 2023.
Several class action lawsuits were filed against Hospital Sisters Health System in response to the data breach. Since they had overlapping claims and were based on the same facts, the lawsuits were consolidated into a single action – In re Hospital Sisters Health System Data Breach Litigation, in the Circuit Court of the Seventh Judicial Circuit of the State of Illinois, Sangamon County, Chancery Division.
The lawsuit alleged that Hospital Sisters Health System was negligent because it failed to implement reasonable and appropriate security measures to protect its network and patient and employee data from unauthorized access, and had those measures been implemented, the data breach could have been prevented. Hospital Sisters Health System denies all claims asserted in the lawsuit and denies all allegations of wrongdoing and liability. Class counsel and the plaintiffs believe that the legal claims asserted in the lawsuit have merit.
After assessing the strengths and weaknesses of the case, the plaintiffs and defendants moved to settle the litigation to avoid the burden, expense, risk, and uncertainty of continued litigation. Class counsel and the plaintiffs believe that the settlement is fair and provides substantial benefits for the settlement class. Under the terms of the settlement, all class members are entitled to enroll in financial data monitoring services for two years. The CyEx Financial Shield package includes fraud and identity monitoring, including monitoring for unauthorized financial transactions and compromised bank and financial account numbers. Class members will also benefit from a $1 million financial fraud insurance policy.
Class members are also eligible to claim one of two cash benefits. They may submit a claim for reimbursement of documented, unreimbursed losses due to the data breach, up to a maximum of $5,000 per class member. Alternatively, they can submit a claim for a pro rata cash payment, which will be paid after attorneys’ fees, expenses, settlement administration costs, class representative awards, financial data monitoring costs, and claims have been paid.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for December 4, 2025. Class members wishing to object to the settlement or exclude themselves must do so by November 14, 2025, and the deadline for submitting a claim is November 14, 2025.
The post Hospital Sisters Health System Settles Class Action Data Breach Lawsuit for $7.6 Million appeared first on The HIPAA Journal.