Duke University Health System has agreed to pay $3.74 million to settle a class-action lawsuit alleging that tracking technologies shared patient information with Meta through its websites and patient portals.
What happened
Duke University Health System (DUHS) has agreed to pay approximately $3.7 million to settle a class-action lawsuit alleging that patient information was improperly shared with Meta, the parent company of Facebook, through online tracking technology known as the Meta Pixel. The settlement received preliminary court approval in March 2026 and was publicly highlighted in late May.
Going deeper
The lawsuit alleged that Duke Health embedded tracking technologies, including the Meta Pixel, on its patient-facing website, Duke MyChart patient portal, and MyDuke Health mobile application. Plaintiffs claimed that these tools transmitted personal and health-related information to Meta when patients accessed online healthcare services between February 18, 2019, and June 17, 2022.
Under the proposed settlement, eligible patients who used Duke MyChart or the MyDuke Health app during the specified period may be entitled to a portion of the settlement fund. Duke Health has denied any wrongdoing but agreed to settle the case to avoid the costs and uncertainties associated with prolonged litigation.
What was said
According to the settlement agreement, Duke University Health System denied all allegations raised in the lawsuit, stating that it “denies all claims asserted against it in the Litigation, denies all allegations of wrongdoing and liability, and denies all material allegations of the Complaint.” The agreement further states that the settlement should not be construed as an admission that DUHS violated any law, statute, or legal duty.
At the same time, both sides agreed that settling the case was preferable to continuing a lengthy and expensive legal battle. According to the agreement, the settlement was reached to avoid the costs, risks, and uncertainty associated with further litigation.
The plaintiff and class counsel likewise emphasized the benefits of resolving the case through settlement. The agreement notes that the plaintiff and her attorneys considered "the substantial benefits to be received by the Settlement Class" and weighed them against "the risks and uncertainties associated with continued litigation." As a result, they concluded that the settlement is "fair, reasonable, adequate, and in the best interests of the Settlement Class."
The bigger picture
The Duke Health settlement is one of many cases involving healthcare organizations' use of Meta Pixel and other web-tracking technologies. In July 2024, a federal court approved a $12.2 million settlement involving Advocate Aurora Health over allegations that the health system disclosed personal information belonging to more than 2.5 million individuals to Meta and Google through tracking technologies embedded on its website and patient portal. Plaintiffs alleged that the tools captured information such as appointment details, provider information, patient portal communications, and health insurance data. Advocate Aurora denied wrongdoing but agreed to settle the claims.
Similarly, in June 2024, a federal judge approved a $6.6 million settlement involving Novant Health, which was accused of using a Meta tracking pixel that allegedly shared the personal and health information of approximately 1.3 million patients with Facebook. The case stemmed from disclosures made by the health system in 2022 after it discovered that patient information may have been transmitted through the tracking tool. Novant Health denied liability but agreed to settle the lawsuit.
In the know
Tools such as Meta Pixel are commonly used to measure website traffic, understand user behavior, and support digital marketing efforts. However, when implemented on healthcare platforms, these technologies can inadvertently collect and transmit sensitive patient information to third parties.
The privacy risks associated with web-tracking tools are becoming increasingly apparent. A recent Paubox report found that hospitals using third-party tracking pixels experienced a 46% higher risk of data breaches than those that did not. The concern is that tracking technologies may share information such as appointment searches, patient portal activity, or other health-related interactions with outside companies, potentially creating unauthorized disclosures of protected health information (PHI).
Read also: Legal storm brews for healthcare amid third-party tracking concerns
Why it matters
The Duke Health settlement is an indication of the legal and privacy risks associated with using third-party tracking technologies in healthcare settings. While tools such as the Meta Pixel are widely used to improve website performance and support digital outreach, healthcare organizations face unique challenges because the information generated by patients' online activities may be considered PHI.
See also: HIPAA Compliant Email: The Definitive Guide (2026 Update)
FAQS
What is the Meta Pixel?
The Meta Pixel is a web-tracking tool developed by Meta that helps website owners measure user activity, track conversions, and improve advertising performance.
Why would healthcare organizations use tracking technologies?
Healthcare organizations may use tracking tools to understand website traffic, improve user experience, measure marketing effectiveness, and optimize online services.
What is the difference between a data breach and unauthorized disclosure?
A data breach typically involves unauthorized access to data through a cyberattack or security incident. An unauthorized disclosure occurs when information is shared in a manner that may not be permitted under privacy laws or organizational policies.
Farah Amod : June 8, 2026
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
.svg)
