Mount Nittany Health Agrees $1.8 Million Settlement for Using Website Tracking Technologies
Mount Nittany Health in Pennsylvania has agreed to pay $1.8 million to resolve a class action lawsuit that alleged sensitive patient data was shared with third parties such as Meta and Google without the knowledge or consent of patients.
The plaintiffs alleged that Mount Nittany Health added tracking technologies such as pixels to its website and patient portal, which collected information about website visitors based on their interactions, such as the pages viewed and options chosen in forms. That information, which included identifiers such as IP addresses, was transferred to tech companies for marketing and advertising purposes without first obtaining user consent.
The lawsuit alleged that the information collected by the tracking tools could be tied to individuals and it could be inferred they were patients of Mount Nittany Health and had or were being treated for a specific medical condition. The lawsuit alleged that around 74,000 patients had used the website and/or patient portal since 2007 and potentially had their sensitive information disclosed to third parties without their consent.
Mount Nittany Health maintains there was no wrongdoing, that sensitive patient information was not shared, and there was no data breach; however, the decision was taken to settle the lawsuit rather than engage in a lengthy and expensive litigation process and to avoid the uncertainty of trial. The $1.8 million settlement must be approved by a judge. If approved, the affected patients will be able to submit claims for a share of the settlement fund.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
April 19, 2023: Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures
Mount Nittany Health, a community healthcare provider and operator of the 260-baed Mount Nittany Medical Center in State College, Pennsylvania, is being sued over the alleged use of tracking code on its website and the impermissible disclosure of sensitive patient data to third parties such as Google and Facebook.
A recently published study indicates 99% of U.S. hospitals have used tracking code on their websites that collects the data of users as they navigate the website. The code is typically used to analyze website usage with a view to improving websites and services. The data collected is transmitted to the providers of that code and can be made available to third parties such as advertisers and is often used for serving targeted adverts and for other marketing purposes. Several health systems and hospitals have reported breaches of patient information due to the use of the code over the past few months, including Community Health Network, WakeMed Health and Hospitals, Advocate Aurora Health, and Novant Health, and lawsuits have been filed across the country in response to these disclosures, which are generally not permitted under the Health Insurance Portability and Accountability Act (HIPAA).
The Mount Nittany Health lawsuit was filed in Centre County Court in Pennsylvania on behalf of two unnamed plaintiffs, John and Jane Doe, by attorney George Bochetto of the law firm Bochetto & Lentz. The lawsuit claims the sensitive information of website visitors was collected via code such as Meta Pixel and was transferred to Meta and other third parties without the knowledge or consent of website users.
The code transferred personally identifiable information and information gathered from actions taken on the websites, from which it can be inferred that an individual was a patient of the medical center or was being treated for a specific medical condition. That information is used to sell advertising, and the website owners that install the code are provided with information about ads they have placed on social media networks such as Facebook and Instagram and are able to target individuals who visited their website with advertising.
The lawsuit alleges Mount Nittany Health is continuing to use tracking code on its website and has not notified individuals about the impermissible disclosures. At present, there is no notice on Mount Nittany Health’s website about a tracking code-related data breach and no data breach is listed on the HHS’ Office for Civil Rights breach portal. The lawsuit alleges the websites were not HIPAA-compliant websites, resulting in invasion of privacy, breach of duty of confidentiality, unjust enrichment, and violations of the Wiretapping and Electronic Surveillance Control Act and seeks $1 million in damages.
