Sutter Health, Lemonaid Health, & Redeemer Health Settle Pixel Data Breach Lawsuits
Settlements have been agreed to resolve class action lawsuits against three healthcare providers – Sutter Health, Lemonaid Health, & Redeemer Health – that alleged unlawful disclosures of individually identifiable patient information to third parties via website tracking technologies.
Tracking technologies such as pixels are extensively used across the Internet to identify and track user activity online. Website owners can use these tools to gather valuable information about how individuals use their websites, such as the pages they visit, the duration of site use, and the links they click while on the site. They can also be used to track visitors across the Internet for marketing purposes, such as serving personalized adverts based on the content they viewed while on a particular website. While website owners can view the data collected by these tools, the same data is usually transmitted to the third-party providers of those tools.
In healthcare, there are risks associated with these tools, as they can potentially transmit information protected under HIPAA – personally identifiable health information. The HHS’ Office for Civil Rights issued guidance on HIPAA and website tracking technologies, which was challenged in court. The guidance was partially vacated. While these tools may be used on the websites of HIPAA-regulated entities without violating HIPAA, they should not be used on authenticated pages such as patient portals, unless HIPAA-compliant authorizations have been obtained or there is a business associate agreement with the third party that provided the code. Many lawsuits were filed against hospitals and other healthcare organizations over the use of these tools that alleged violations of HIPAA, wiretapping, and state privacy laws, three of which were recently settled.
Sutter Health
Sutter Health, a non-profit integrated health delivery system based in Sacramento, California, faced class action lawsuits over alleged impermissible disclosures of patients’ protected health information to Meta (Facebook), Google, and other third parties via cookies, pixels, web beacons, JavaScript, and other technologies on its website and patient portal. The lawsuits were consolidated – Jane Doe I and Jane Doe II, et al. v. Sutter Health – in the Superior Court of California, Sacramento County, and asserted several claims. Following several pleading challenges in which certain claims were rejected, the class action proceeded with claims of violations of the California Invasion of Privacy Act (CIPA), breach of express contract, and breach of implied contract. Following two attempts at mediation, a $21,500,000 settlement was agreed, with no admission of wrongdoing or liability by Sutter Health.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The settlement fund will be used to pay attorneys’ fees and expenses, notice and settlement administration costs, and service awards for the class members. Class counsel may claim up to $7,095,000 plus estimated expenses of $208,990.21, notice and administration costs will be $385,000 and $445,000 respectively, and each class representative may claim a service award of up to $10,000.
The remainder of the settlement fund will be used to pay benefits to the class members. Each class member may claim a one-time cash payment, which will not exceed $90 per class member. Class members are California residents who logged into their own Sutter Health MyHealthOnline portal for reasons related to their own health care from June 10, 2025, to March 20, 2020. Any funds remaining in the settlement fund after benefits have been paid will be distributed cy pres to the non-profits Privacy Rights Clearinghouse and the AHIMA Foundation.
The settlement has received preliminary approval from the court, and the final fairness hearing has been scheduled for February 27, 2026. The deadline for submitting a claim is January 28, 2026, and the deadline for objection to and exclusion from the settlement is January 23, 2026.
Lemonaid Health
Lemonaid Health Inc., the 23andMe-owned telemedicine platform provider, has agreed to settle class action litigation over the use of tracking pixels on the lemonaidhealth.com website, which the lawsuit alleged disclosed individually identifiable health information and protected health information to third parties such as Meta and Google without users’ knowledge or consent.
The lawsuit was initially entitled A.J., et al. v. Lemonaid Health Inc. and LMND Medical Group, Inc. d/b/a Lemonaid Health and was filed in the United States District Court for the Northern District of California. The defendants entered bankruptcy proceedings, the lawsuit was renamed, In re Chrome Holding Co. (f/k/a 23andMe Holding Co.), et al, and was moved to the United States Bankruptcy Court for the Eastern District of Missouri.
The defendants deny any wrongdoing or liability, while class counsel and the class representatives believe they have asserted valid claims. All parties have agreed that a settlement is in the best interests of all parties. Under the terms of the settlement, a $3,250,000 settlement fund will be established to cover attorneys’ fees of up to one-third of the settlement fund, expenses, settlement administration and notice costs, and service awards for the class representatives (up to a maximum of $55,000). The remainder of the settlement will be used to pay one-time cash payments to the approximately 35,000 class members. The settlement has received preliminary approval from the bankruptcy court, and the final fairness hearing has been scheduled for January 20, 2026. The deadline for objection to and exclusion from the settlement is January 5, 2026, and claims must be submitted by February 23, 2026.
Redeemer Health
Redeemer Health, a Catholic healthcare provider based in Huntingdon Valley, Pennsylvania, that serves patients in southeastern Pennsylvania and New Jersey, was alleged to have added tracking pixels to its websites and patient portals that illegally transmitted personal and health information to third parties without visitors’ knowledge or consent. Three lawsuits were filed over the use of the tools, which were consolidated into a single lawsuit – Doe et al. v. Redeemer Health et al I – on May 8, 2023, in the Philadelphia County Court of Common Pleas, as they had materially similar causes of action.
Redeemer Health denies any wrongdoing or liability, and the plaintiffs believe they have asserted valid claims. All parties agreed that a settlement was in the best interests of all parties to avoid the cost, disruption, distraction, and uncertainty of continuing with the litigation. The settlement provides the class members with the opportunity to receive a cash payment of $25 and enroll in one year of CyEx Privacy Shield Pro, a service that protects individuals against fraud by monitoring a broad array of assets on the dark web. The benefits must be claimed, and claims must be submitted by January 9, 2026. The final approval hearing has been scheduled for February 9, 2026.
