University of Rochester Medical Center Settles Pixel Lawsuit for $2.85M
The University of Rochester has agreed to a $2.85 million settlement to resolve all claims related to the use of tracking technology on its website and MyChart patient portal. Like many healthcare providers, the University of Rochester Medical Center (URMC) used tracking technologies on its website to collect information on how its website was used.
Tracking tools, often referred to as pixels, record user interactions on websites, such as the time spent on particular pages, the links and buttons that are clicked, and any text entered into search bars, chats, or text boxes. That information is tied to a user by their IP address, device ID, and Facebook ID, and is transmitted to third parties and can potentially be used to serve personalized advertisements on other websites.
The HHS’ Office for Civil Rights issued guidance on website trackers in December 2022, clarifying how these tools can be used in compliance with the HIPAA Rules. The guidance was challenged in court and was partially rescinded, the outcome of which was that the tools can be used on unauthenticated web pages, but not on pages that require authentication, such as patient portals.
The University of Rochester operates URMC, one of the largest medical treatment and research facilities in New York state, with more than 26,000 employees and almost 3,000 clinical researchers. UMRC has a MyChart Patient Portal linked, which is accessible through its website and can be used by patients to view their health information, communicate with the medical center, and make appointments.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
After being made aware of the use of tracking tools on the URMC website, plaintiffs Carol Kane and Bonnie Wilson filed a class action lawsuit – Kane v. University of Rochester – in the U.S. District Court for the Western District of New York, alleging unlawful disclosure of their protected health information. The plaintiffs used the URMC website and patient portal to receive healthcare services, including scheduling doctors’ appointments. The plaintiffs claim they were unaware that their sensitive information was being shared with third parties.
According to the lawsuit, between January 11, 2021, and January 11, 2023, two tracking tools were installed on the MyChart portal: The Facebook tracking pixel (Meta Pixel) and the Conversions Application Programming Interface (CAPI). At the time, the URMC website stated that URMC is “committed to protecting your privacy. Any information you provide to us through the URMC website—for example, name, address, and phone number—will never be sold to third parties.” The URMC privacy policy also explained that protected health information will not be shared with any third party unless permitted under HIPAA, such as for “legal purposes or investigations, or if so directed by the patient through a proper authorization.”
The lawsuit asserted multiple claims, including breach of contract, unjust enrichment, breach of fiduciary duty, breach of confidence, bailment, and a violation of the Federal Wiretap Act. The University of Rochester filed a motion to dismiss, which was partially granted; however, several claims were allowed to proceed. URMC denies all claims and contentions alleged against it, including that any tracking technologies were implemented in the patient portal or electronic medical record system. While URMC maintains there was no wrongdoing, a settlement was agreed to avoid the costs and risks associated with continuing the litigation.
Under the terms of the settlement, individuals who visited the website between January 2018 and June 12, 2023, are entitled to claim settlement benefits. URMC has agreed to establish a $2.85 million settlement fund, from which attorneys’ fees, legal expenses, and class representative service awards will be deducted. The remainder of the settlement fund will be distributed evenly to all class members who submit valid claims. The amount of the cash payments will depend on the number of valid claims received.
The settlement has received preliminary approval from the court, and the final approval hearing has been scheduled for August 21, 2025. Individuals wishing to object to the settlement, opt out of the settlement, or submit a claim for benefits must do so by July 21, 2025.
“The privacy and security of URMC patients’ health information is exceptionally important, and the protection of this confidential information remains a top priority,” explained URMC in a statement. “We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed security standards. While URMC disputes the plaintiffs’ allegations, we are pleased to have reached a resolution.”
