Atrium Health has agreed to pay $1.8 million to settle a class action lawsuit alleging that its use of the Meta Pixel and other web tracking technologies disclosed patients' sensitive health information to third parties without their consent.

 

What happened

According to Bank Info Security, Atrium Health has agreed to pay $1.8 million to settle a class action lawsuit alleging that its use of website tracking technologies exposed patients' sensitive health information to third-party advertising companies, including Meta and Google. Although the health system denies any wrongdoing, the proposed settlement would resolve claims brought on behalf of patients whose information was allegedly shared through tracking pixels embedded in the organization's patient portal and websites.

 

The backstory

The proposed settlement follows an earlier privacy incident involving Atrium Health's use of online tracking technologies. In 2022, the health system disclosed that a misconfiguration of the Meta Pixel on its websites may have exposed the personal information of approximately 2.65 million patients to Meta. The exposed information varied by individual but included names, email addresses, IP addresses, appointment details, and, in some cases, information related to medical conditions, physicians, and scheduled appointments. Atrium Health said the issue affected its MyAtriumHealth patient portal and other online properties before the tracking technology was disabled.

Go deeper:

 

Going deeper

Under the proposed settlement, eligible class members may receive compensation, while Atrium Health has also agreed to implement additional safeguards governing its use of online tracking technologies. The agreement still requires court approval before becoming final.

The lawsuit is one of dozens filed against hospitals and health systems across the United States over the use of Meta Pixel and similar analytics tools. These cases have prompted many healthcare organizations to reassess their digital marketing practices and review whether third-party tracking technologies comply with healthcare privacy requirements.

 

What was said

According to Bank Info Security, Atrium Health did not immediately respond to their request for comment on the settlement. However, the health system continues to deny the allegations and has agreed to settle the case without admitting liability.

The settlement comes as legal experts say class action lawsuits have become the primary risk associated with healthcare organizations' use of web tracking technologies. "Many healthcare organizations were unfamiliar with lawsuits related to website trackers, but upon seeing OCR's bulletin, immediately ended the use of trackers or curtailed their use significantly," said Adam Greene, a regulatory attorney at Davis Wright Tremaine.

Greene added that while many organizations initially focused on potential HIPAA enforcement, "class action lawsuits over the use of those technologies remain the far bigger legal risk" than regulatory action. He also noted that, "From what we have seen so far, the Trump administration seems significantly less focused on website trackers than the Biden administration was."

 

The bigger picture

The Atrium Health settlement is the latest in a growing series of lawsuits over healthcare organizations' use of the Meta Pixel and other web tracking technologies. In a similar case, Duke University Health System agreed to pay $3.74 million to settle allegations that tracking technologies embedded on its patient-facing website, Duke MyChart patient portal, and MyDuke Health mobile app transmitted patients' personal and health-related information to Meta without their knowledge or consent.

Go deeper: Duke Health to pay $3.7 million in Meta Pixel privacy settlement

 

Why it matters

Meta Pixel is not HIPAA compliant because Meta does not sign a business associate agreement (BAA) for the tracking technology. Without a BAA, healthcare organizations cannot use Meta Pixel to collect, process, or disclose protected health information (PHI) without risking HIPAA violations.

The Atrium Health settlement should remind healthcare organizations that they must carefully evaluate any third-party tracking technologies deployed on patient-facing websites, portals, and mobile apps. If these tools transmit PHI to companies that are not HIPAA compliant, providers may face costly litigation, regulatory scrutiny, and a loss of patient trust.

Read also: Legal storm brews for healthcare amid third-party tracking concerns

 

FAQS

Why are healthcare organizations being sued over Meta Pixel?

Many lawsuits allege that hospitals and health systems embedded Meta Pixel or similar tracking technologies on patient-facing websites and portals, allowing sensitive patient information to be shared with third parties without patients' knowledge or authorization.

 

How can healthcare organizations use website analytics while remaining HIPAA compliant?

Healthcare organizations should use analytics solutions designed for HIPAA-regulated environments, ensure vendors sign a BAA when required, and avoid deploying tracking technologies that transmit protected health information to third parties.