Nonprofit health system agrees to $18M settlement over use of ad trackers
A nonprofit hospital in Ohio has agreed to pay $17.8 million to settle a class-action lawsuit over its alleged use of web tracking technologies that, according to the plaintiffs, sent sensitive patient data to third parties.
Like many healthcare organizations, Adena Health System uses advertising tracking tools on its website, such as Meta Pixel and Google Analytics, which provide data on user traffic. However, Adena was accused of having active code from these trackers embedded in its MyChart patient portal, which means it could gather confidential data such as patient names, addresses, appointment details, personal health information and any communications between the individual and the health system.
That data would then be shared with tech companies, where it’d be used primarily to disseminate ads. This type of data leak is potentially a violation of provisions of the Health Insurance Portability and Accountability Act (HIPAA) and could be subject to appropriate reporting.
According to court documents, some 89,000 patients were potentially impacted—anyone who logged into the portal between Nov. 1, 2022 and June 3, 2024.
A judge will need to approve the settlement, but as it stands, each patient would receive $21 along with a year of identity protection services. In addition to the $17.8 million, Adena would be responsible for all attorney’s fees.
The health system would not have to admit wrongdoing, but would be required to take extra precautions to ensure similar incidents do not happen again.
An all-too-common occurrence
In the last two years, there have been numerous data breaches associated with the use of big tech advertising tools. In 2023, wholesale retailer Costco was sued after Facebook Pixel was allegedly tracking users of its healthcare website.
In 2024, there were multiple similar lawsuits filed against health systems: North Carolina’s Atrium Health was sued by two plaintiffs who claimed they received unsolicited emails linked to their use of the hospital’s website.
A month later, a very similar lawsuit was brought against Florida-based provider network Palm Beach Health, after their website was found to be using tracking tools.
Tracking cookies also caused a major data leak at Kaiser Permanente. In 2024, the health system reported that it was responsible for exposing personal data from 13.4 million members to third-party advertisers, namely Microsoft, Meta and Google as a result of background code on its website.
The U.S. Department of Health and Human Services attempted to institute a sweeping ban in 2024 on the use of tracking cookies. The rule would have forbidden any HIPAA-covered entity from doing so. However, a federal judge later struck down the rule, as it was deemed to be outside the regulatory authority of the agency.
Chad is an award-winning writer and editor with over 15 years of experience working in media. He has a decade-long professional background in healthcare, working as a writer and in public relations.