Advocate Aurora to Settle Web Tracker Claims for $12.25M – Source: www.govinfosecurity.com

Governance & Risk Management
,
Healthcare
,
HIPAA/HITECH

Attorneys to Get $4.3M and Class Reps to Get $3,500 Each Under Proposed Settlement

Marianne Kolbasuk McGee (HealthInfoSec) •
August 16, 2023    

Advocate Aurora Health has agreed to pay $12.25 million to settle consolidated class action claims that the Illinois-based hospital chain invaded patient privacy by using tracking codes on its websites and patient portal, according to a preliminary settlement plan in Wisconsin federal court.

See Also: Live Webinar | Unmasking Pegasus: Understand the Threat & Strengthen Your Digital Defense

The proposed agreement consolidates several lawsuits filed in the wake of Advocate Aurora Health’s disclosure of a web tracker-related HIPAA breach affecting 3 million individuals in October 2022 to the U.S. Department of Health and Human Services’ (see: Health Entity Says Tracking Code Breach Affects 3 Million).

The nonprofit system of 27 hospitals and more than 500 healthcare facilities in Illinois and Wisconsin said at the time of its breach report that it had embedded tracking technologies including Meta Pixel, Google Analytics and other third-party tools into its website, patient portal and some scheduling apps in an effort to “better understand patient needs and preferences.”

The entity has since disabled the tracking tools or removed them from its websites, LiveWell app and MyChart patient portal, which the litigation alleged disclosed patients’ personal or health information to Facebook, Google or other third parties without their consent or knowledge.

Proposed Settlement Details

Under the agreement, attorneys will receive up to 35% of the $12.25 million settlement fund – or nearly $4.3 million, plus expenses up to $30,000; class representatives will be paid service awards of $3,500 each; and class members who file a valid claim form will receive a pro-rata cash payment from the remaining settlement fund.

Eligible class members under the settlement include individuals residing in the U.S. whose personal or health information was – or may have been – disclosed to a third party without authorization or consent through any tracking pixel used on Advocate Aurora’s websites or apps between Oct. 24, 2017, and Oct. 22, 2022.

The settlement is subject to the court’s final approval, for which a hearing date has not yet been set.

Advocate Aurora did not immediately respond to Information Security Media Group’s request for comment on the proposed settlement.

Growing Controversy

The litigation against Advocate Aurora is one of dozens of proposed class action lawsuits that have been filed over the past year or so against entities that use or have used tracking codes in their health-related websites or apps (see: Meta Pixel Lawsuit Survives UC Motion to Dismiss).

The lawsuits include a consolidated proposed class action lawsuit filed last year in a federal California court against Meta, the developer of Meta Pixel. A hearing to dismiss the case is slated for Wednesday (see: Judge Denies Motion to Stop Health Data Scraping by Meta).

The use of web trackers to collect and share individuals’ information with third-party analytics, social media and other companies has come under increasing scrutiny since the Supreme Court overturned Roe v. Wade last year.

Reproductive health and privacy experts have warned that law enforcement in states that have banned or restricted abortions may attempt to collect information about abortions and related women’s care through digital footprints left online and in smartphones.

Regulators also have cautioned entities that handle health-related data that they could face potential federal violations involving the use of web trackers.

The Federal Trade Commission and the U.S. Department of Health and Human Services in July jointly sent letters to 130 hospitals and telehealth providers warning of potential data privacy and security violations involving the use of online tracking technologies (see: Feds Warn Hospitals, Telehealth Firms About Web Tracker Use).

The FTC has already taken enforcement actions against at least two telehealth providers – BetterHelp and GoodRx – plus mobile fertility app vendor Premom in cases involving those companies’ use of tracking tools that shared consumer’s sensitive health and personal information with third-party analytics and social media firms without individuals’ consent.

HHS’ Office for Civil Rights issued guidance last December warning about online trackers.

HHS OCR officials have said the agency is actively investigating entities that use the tools in a manner that would result in impermissible disclosures of protected health information to third-party vendors or in any other violations of the HIPAA Rules (see: HHS: Web Trackers in Patient Portals Violate HIPAA).

Not So Easy

Privacy attorney Cory Brennan of law firm Taft, which is not involved in the Advocate Aurora case, said she has seen an uptick in concern from clients in the marketing and digital advertising services space that are worried about their own healthcare customers asking to use trackers in potentially controversial ways.

“Our clients in this space are pushing their healthcare customers to take this issue seriously and, in some cases, even asking for our help to educate those healthcare entities on this issue,” she said.

Because the digital marketing function of an organization is often a service performed by a third-party vendor, certain healthcare entities don’t even realize this issue is applicable to them, Brennan said.

Controversy surrounding the trackers is driving many entities to consider disabling the tools on their sites, she said. But that’s not an easy fix, either. “It tends to be a very difficult conversation to have within the organization based on the way these trackers are used to quantify the ROI of certain marketing efforts,” she said.

“Many times, the compliance concerns and threat of potential litigation succeed in convincing companies to disable their trackers until they have developed a new process to address these concerns,” Brennan said.

Jeremy Barnett, chief commercial officer at Lokker, a provider of data privacy and compliance tools and services, is seeing similar worries growing over the use of trackers.

“Online tracking concerns are at an all-time high,” he said. “Over the past 12 months, we’ve seen organizations in every sector, from healthcare to retail to media, requiring their online marketing and web operations teams to audit and report on the usage of the Meta Pixel and other tracking tools.”