The North Carolina hospital system has agreed to a $6.6 million settlement for alleged privacy violations.
What happened
Novant Health, one of the largest hospital systems in North Carolina, has recently faced legal repercussions for the use of pixel tracking. They reported the privacy violation to the HHS Office for Civil Rights, revealing that approximately 1.3 million individuals had their data disclosed to Meta between May 1st, 2020, and August 12th, 2022.
Novant had been using tracking pixels on its MyChart patient portal, which went on to send HIPAA protected information to Meta. When Novant discovered the pixel, they immediately disabled it. Impacted information may have included email addresses, phone numbers, computer IP addresses, and contact information.
The breach was considered one of the largest in 2022, but Novant is far from the only healthcare system once reliant on pixels.
Soon after the violation was reported, the OCR, HHS, and FTC began cracking down on the use of pixels.
Read more: HHS and FTC issue stern warning on online tracking in healthcare.
What’s new
Soon after, a lawsuit was filed by patients alleging Novant had invaded their privacy and breached their contract.
Novant has not admitted to any wrongdoing, but agreed to settle to end litigation and avoid legal costs. The 10 plaintiffs are seeking $2,500 each from the case.
Class members include anyone who used Novant’s MyChart portal between the pixel usage dates. Once the settlement is finalized and any additional administrative fees have been processed, individuals will be able to submit a claim to receive a share of the $6.6 million. The final approval hearing is scheduled for June 6th.
What was said
Novant said use of the pixel was accidental and in this situation “the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”
The lawsuit described the pixel as a “tiny 1x1 invisible GIF files that effectively opened a spying window through which a website funnels data about users and their actions to third parties.”
In a statement, Novant Health said they take “privacy and the care of personal information very seriously and values patient trust to keep patients’ medical information private. Novant health will continue to be as transparent as possible and provide information to patients.”
The bottom line
As the case is finalized, Novant will join a host of other hospitals who have faced repercussions for pixel use.
Nevertheless, Novant is paying a significantly higher penalty than most Paubox has seen thus far. The case is reminder of what could be financially at stake for organizations who continue to use pixels despite warnings from the OCR.
Debates regarding pixel use continue, with many hospitals seeking a reversal in the guidance, claiming that pixels do not collect protected health information.
In the meantime, organizations should consider alternatives to tracking technology to maintain the utmost security protections for patients.
Read more: Hospitals seeking quick end to online tracking enforcement
Related: HIPAA Compliant Email: The Definitive Guide
Abby Grifno
