The settlement covers 2.5 million people and is split into two groups based on how deeply their data was exposed, ranging from full patient portal users to visitors who never logged in at all.

 

What happened

Allina Health System, a nonprofit health system based in Minneapolis serving patients across Minnesota and Western Wisconsin, has agreed to pay $12,500,000 to settle a class action lawsuit over its use of website tracking pixels. According to the official settlement website, the case, Ahlers et al. v. Allina Health System, alleged that tracking tools embedded on Allina's websites disclosed personal and health-related information to third parties, including Meta and Google, without patient consent. The lawsuit was first filed on September 16, 2024, in the US District Court for the District of Minnesota, with an amended complaint adding two additional plaintiffs filed on February 12, 2025. The settlement received preliminary court approval on May 11, 2026, and covers approximately 2,531,323 individuals. The claims deadline is September 8, 2026, and the final approval hearing is scheduled for September 24, 2026.

 

Going deeper

The settlement splits the class into two groups based on the type of website interaction involved. Group 1 covers individuals who used Allina's patient portal, non-portal bill pay functions, or non-portal scheduling functions between September 16, 2018, and May 11, 2026. Group 2 covers individuals who visited Allina's websites as patients without using the portal, bill pay, or scheduling functions during the same period. The consolidated complaint asserted claims including invasion of privacy, breach of implied contract, breach of fiduciary duty, negligence, and violations of the Electronic Communications Privacy Act, the Minnesota Health Records Act, and the Minnesota Unfair and Deceptive Trade Practices Act.

 

What was said

Allina Health System has not admitted wrongdoing or liability as part of the settlement. In its filing, the organization stated that it agreed to settle after considering the costs, distraction, and risk associated with continued litigation, consistent with the standard resolution structure used in healthcare pixel litigation settlements in 2025 and 2026.

 

In the know

Allina's $12.5 million settlement is much larger than most healthcare pixel settlements reached this year. Derick Dermatology settled a comparable pixel tracking lawsuit for up to $1 million in June 2026, a difference showing Allina's larger patient population and the inclusion of authenticated patient portal data in the alleged disclosures, which typically carries more direct HIPAA exposure than tracking on public-facing marketing pages. A peer-reviewed study from Rutgers University published in PNAS Nexus earlier this year found that hospitals using third-party tracking pixels were 46% more likely to experience a data breach, with two-thirds of US hospitals studied still using the technology despite years of regulatory warnings and litigation.

 

The big picture

The two-tier settlement structure in the Allina case, distinguishing between patients who logged into authenticated systems and those who simply visited public web pages, proves a legal distinction that matters directly for HIPAA compliance. Tracking pixels on a public marketing page collect different information than pixels on an authenticated patient portal, where a logged-in user's activity can reveal specific appointment types, billing details, or health conditions tied to a verified identity. According to HHS guidance issued in 2022, tracking technology transmitting protected health information to third parties without a business associate agreement likely violates HIPAA, regardless of whether the page sits behind a login. For health systems that have not audited which tracking tools remain active across both their public and authenticated web properties, the Allina settlement puts a concrete dollar figure on what that gap can cost when litigated at scale.

 

FAQs

Why does the settlement distinguish between portal users and non-portal website visitors?

Patient portal, bill pay, and scheduling interactions typically involve authenticated sessions where a user has confirmed their identity, making any data transmitted through embedded tracking tools during that session more directly identifiable and more likely to constitute protected health information under HIPAA. Non-portal website visits carry less direct identity verification, which is showed in the smaller settlement fund allocated to that group.

 

Why do healthcare tracking pixel settlements keep increasing in scale?

As more hospitals face litigation and regulatory scrutiny over the same underlying practice, plaintiffs' firms have refined the legal theories used, and courts have become more familiar with how tracking technology functions on authenticated healthcare websites. Larger health systems with bigger patient populations and more entangled portal architecture, like Allina, face correspondingly larger potential class sizes and settlement values.

 

What should a health system do now to avoid facing a similar settlement?

Conducting a full audit of every tracking pixel, cookie, and analytics tool active across both public and authenticated web properties is the necessary first step, followed by confirming whether business associate agreements exist with every third party receiving data through those tools. Any tool found to transmit protected health information without a compliant BAA should be removed or replaced with a first-party alternative that keeps data within the organization's own infrastructure.