The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Advocate Aurora Health Settles Pixel Lawsuit for $12.225 Million

Posted By on Aug 17, 2023

Advocate Aurora Health has proposed a $12.225 million settlement to resolve a consolidated class action lawsuit filed over the impermissible disclosure of patient data to third parties via tracking technologies. Advocate Aurora Health was one of the first HIPAA-regulated entities to report a Pixel-related data breach to the HHS’ Office for Civil Rights (OCR) and notify patients that their protected health information had been impermissibly disclosed to unauthorized third parties via these tracking technologies.

Advocate Aurora Health operates 17 hospitals and more than 500 facilities in Wisconsin and Illinois. Advocate Aurora Health used tracking technologies such as Meta Pixel, Google Analytics, and other third-party tools on its website, patient portal, and scheduling app. The tracking tools were used to gain insights into the use of its website and app to better understand patient needs to improve the services it provides. Advocate Aurora Health has since removed the tracking tools from its website, MyChart patient portal, and LiveWell App. The HIPAA Breach Notification Rule requires individual notifications to be sent in the event of a data breach. Since it was not possible to determine exactly how many individuals were affected, the decision was taken to send notifications to 3 million individuals who were potentially affected and may have had some of their sensitive data disclosed to third parties.

Several lawsuits were filed against Advocate Aurora Health after patient notifications were issued. The lawsuits were consolidated in the lawsuit, In Re Advocate Aurora Health Pixel Litigation. The plaintiffs/class representatives are Shyanne John, Richard Webster, Deanna Danger, James Gabriel, Katrina Jones, Derrick Harris, Amber Smith, Bonnie LaPorta, Angel Ajani, and Alistair Stewart.

The $12.225 million settlement is intended to resolve all claims from the consolidated lawsuit. 35% of the settlement amount will cover attorneys’ fees, or $4,278,750.00, and up to $30,000.00 in costs. Class representatives will receive a service award of $3,500 each, and the remainder of the settlement will cover claims from class members, which will be paid pro rata and capped at $50 per individual. Claims will be accepted from individuals who had their information disclosed via the tracking tools between October 24, 2017, and October 22, 2022, and were notified about the breach by Advocate Aurora Health. The class is understood to consist of around 2,500,000 individuals.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The settlement has received preliminary approval from a federal Wisconsin court but will need final approval. The date for the final fairness hearing has been set as March 8, 2024, and payments are expected to be sent to class members within 45 days of the final approval. Class members have the opportunity to object to or exclude themselves from the settlement, and have until December 19, 2023, to do so.

This consolidated class action lawsuit is one of many that have been filed against healthcare providers over the use of tracking technologies. Meta is also facing a lawsuit over the use of Pixel by healthcare organizations, which claims that Meta should have known that the tool was used by more than 600 U.S. hospitals in violation of its terms and conditions. While Meta moved to have the lawsuit dismissed, U.S. District Judge William Orrick III denied the motion and allowed the lawsuit to proceed for the alleged violations of federal and state wiretap laws, the California Invasion of Privacy Act (CIPA), and California state larceny law.

Increased Scrutiny of Website Tracking Technologies

Advocate Aurora Health is one of many healthcare providers to discover that the sensitive data of website visitors and app users was being disclosed to third parties such as Meta and Google through the use of website tracking technologies such as Meta Pixel, Google Analytics code, and Software Development Kits (SDKs). The data collected by these tools can be used to improve the services provided and often aids decision-making and the development of marketing strategies. According to a study published in Health Affairs, 99% of 3,747 U.S. hospitals that were assessed in the study used these tracking technologies on their websites.

In December 2022, the HHS’ Office for Civil Rights took the position that the use of these tools on websites, patient portals, and scheduling apps violated HIPAA unless authorizations are obtained from patients consenting to the disclosure of their PHI or if the information disclosed was permitted by HIPAA and the third parties to whom the information is disclosed enter into a business associate agreement. Guidance on tracking technologies was issued, and in April 2023, OCR confirmed that non-compliance with the guidance would be an enforcement priority. The Federal Trade Commission has taken action against non-HIPAA-covered entities for deceptive business practices related to these tracking tools – BetterHelp, GoodRx , and Premom – and in July 2023, the FTC and OCR sent warning letters to 130 organizations that used these tools. In September 2023, those letters were published.

The legality of OCR’s position on tracking technologies has been questioned. A lawsuit – Marguerite Kurowski and Brenda McClendon v. Rush System for Health d/b/a Rush University System for Health – was filed in District Court for the Northern District of Illinois, Eastern Division, over the use of tracking technologies and the judge rejected using the HHS guidance as a basis for assessing liability under federal wiretapping laws. The judge also questioned whether website metadata collected through the technologies actually qualifies as information that requires protection under HIPAA.

The American Hospital Association (AHA) has also been critical of the decision to effectively ban the use of these tools and believes the HHS has gone too far with its interpretation of metadata qualifying as HIPAA-protected information, and has called for the HHS to withdraw its guidance. The AHA claims that by preventing hospitals from analyzing important visitor data, meaningful harm is caused to patients and public health. Hospitals use video technologies that provide important health information to the public and map and location technologies that enable the provision of better information about where health services are available, and valuable patient services such as these may not be provided which would be to the detriment of patients and public health.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist