Atrium Health Pays Up to $1.8M to Resolve Pixel Lawsuit
Charlotte-Mecklenburg Hospital Authority, doing business as Atrium Health, has agreed to pay up to $1,800,000 to settle a class action lawsuit stemming from its use of pixels and other tracking technologies on its MyAtriumHealth (formerly called MyCarolinas) patient portal.
North Carolina-based Atrium Health operates a dozen hospitals in North and South Carolina, along with more than 900 care facilities in the two states. Like many health systems, Atrium Health used tracking technologies on its patient portal. These tools have important uses for website operators; however, their use on healthcare websites risks impermissible disclosures of sensitive data.
When these tools are added to authenticated web pages such as patient portals, patients’ protected health information may be disclosed to the third-party providers of the tools, such as Meta (Facebook) and Google. Following an investigation, Atrium Health determined that between January 1, 2015, and July 31, 2019, the protected health information of up to 585,959 patients may have been impermissibly disclosed to third parties as a result of the use of these tools. When reporting the data breach, Atrium Health assumed that all patients who used the portal had their ePHI impermissibly disclosed.
The data potentially compromised included IP addresses and third-party identifiers/cookies. If forms were filled out, that disclosed information may also have included full names, email addresses, phone numbers, city/state/zip code, gender, and any other information entered into the forms.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Multiple class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Julie Roberts, et al. v. The Charlotte-Mecklenburg Hospital Authority – in the Superior Court of Mecklenburg County, North Carolina, naming Julie Roberts, Judith Sigmon, Darielle Hill, and Chrisanna Brown as representatives of a national class.
The plaintiffs alleged that their privacy had been violated by the defendant’s use of these tools, which they claim were added to the patient portal without their knowledge or consent. The lawsuit asserted claims for breach of express contract, breach of implied duty of good faith and fair dealing, breach of implied contract, negligence, breach of fiduciary duty, and unjust enrichment.
Atrium Health denies all wrongdoing and maintains it has not violated any laws and filed a motion to dismiss, which was partially successful; however, the lawsuit was allowed to proceed. The parties ultimately agreed to a settlement to avoid the costs and risks associated with continuing the litigation.
The settlement covers all individuals residing in the United States who had patient portal accounts – MyAtriumHealth or MyCarolinas – between January 1, 2025, and April 10, 2024, with limited exceptions. Atrium Health has agreed to establish a $1,800,000 settlement fund, from which $1,500,000 will be used to cover attorneys’ fees and expenses, administration costs (for Group 1 claims), and payments to individuals who used their accounts between January 1, 2015, and July 31, 2019.
The settlement also includes up to $300,000 to pay for claims from individuals who had a Patient Portal account between January 1, 2015, and April 10, 2024, but did not access their account between January 1, 2015, and July 31, 2019. (Group 2). The remainder of the funds in the Group 1 settlement will be paid pro rata to individuals who submit a claim, and individuals in Group 2 will receive a payment of up to $10 if they submit a claim. The deadline for opting out and objection is August 31, 2026. Claims must be submitted by September 28, 2026, and the final fairness hearing has been scheduled for September 30, 2026.


