NC Health System Agrees to Pay $6.6M in Web Tracking Case – Source: www.databreachtoday.com

Governance & Risk Management
,
Healthcare
,
Industry Specific

Novant Health Is Among Latest Organizations Opting to Settle Patient Privacy Claims

Marianne Kolbasuk McGee (HealthInfoSec) •
January 16, 2024    

A North Carolina healthcare system has agreed to pay $6.6 million to settle a consolidated class action lawsuit involving its use of tracking tools in its websites and patient portals. The suit alleges the website trackers sent sensitive patient information to third parties without their consent or knowledge.

See Also: Live Webinar | Integrating Splunk and Panther for Real-Time Alerting and Custom Dashboarding

The consolidated litigation filed in November 2022 centered on Winston-Salem, N.C.-based Novant Health’s use of Meta pixel internet trackers embedded in its websites and MyChart patient portal between May 1, 2020, and Aug. 12, 2022.

Novant Health had reported its use of the online trackers to federal regulators on Aug. 14, 2022, as a HIPAA breach affecting more than 1.36 million individuals (see: Lawsuit Against FTC Intensified Location Data Privacy Battle).

Novant Health’s August 2022 breach report to the U.S. Department of Health and Human Services came in the midst of growing controversy around the use of online trackers by health-related websites following the Supreme Court’s June 2022 ruling overturning Roe v. Wade.

Reproductive health and privacy experts had warned about data brokers and law enforcement in certain states potentially attempting to collect information about abortions and other sensitive healthcare through location tracking and other digital footprints left online and in smartphones.

In addition, reports by investigative media sites The Markup and STAT in 2022 found tracking tools embedded in dozens of hospital and telehealth websites across the country.

In the breach notice Novant Health issued at the time of its report to HHS’ Office for Civil Rights, the healthcare group said it had launched the use of trackers in May 2020 as part of “a promotional campaign” to better connect with patients during the COVID-19 pandemic.

Novant in its breach notice said that on June 17, 2022, it determined that “an incorrect configuration of Pixel” in the healthcare provider’s website and patient portal may have allowed individuals’ private information to be transmitted to Meta, parent company of Facebook.

Potentially affected data included patients’ demographic information such as email address, phone number, computer IP address, contact information, appointment type and date, and physicians, Novant Health said.

The consolidated lawsuit against Novant Health alleged among other claims that the healthcare system invaded the privacy of plaintiffs and class members by “intentionally installing the well-known Facebook tracking pixel on its website that secretly enabled the unauthorized transmission and disclosure of confidential medical information.”

Novant Health in a statement posted on its website last week said the proposed settlement “is not admission of wrongdoing, and the court did not find any wrongdoing” by Novant Health.

“Novant Health will continue to be as transparent as possible and provide information to patients,” the statement said.

Novant Health did not immediately respond to Information Security Media Group’s request for additional comment on the proposed settlement and whether the healthcare entity is still using online trackers in its websites and patient portals.

Settlement Details

Under the proposed settlement, class members who file a valid and timely claim form may receive a pro-rata cash payment from the net settlement fund.

The net settlement fund is what remains of the $6.6 million settlement fund following the payment of administrative and notice costs, class representation service awards of $2,500 per representative, and attorneys’ fees and expenses, which will total about $1.2 million for fees and up to $30,000 for expenses.

A court hearing for final approval of the settlement is slated for June 6 in the U.S. District for the Middle District of North Carolina.

Growing Scrutiny

Novant Health is among the latest of several other healthcare entities that have recently settled civil lawsuits or regulatory enforcement cases involving their use of web trackers.

Last month, NewYork-Presbyterian Hospital agreed to pay a $300,000 fine and take corrective actions under a settlement with New York state attorney general’s office involving the academic medical center’s previous use of tracking tools in its websites and patient portal (see: State AG Hits Hospital with $300K Fine for Web Tracker Use).

New York state regulators said the hospital had violated HIPAA rules in sharing patient information with third parties for marketing purposes. NYP in June 2022 conducted its own forensics investigation into it use of trackers and reported the incident in March 2023 to HHS OCR as a HIPAA breach affecting about 54,500 individuals (see: 3 More Healthcare Entities Report Website Tracking Breaches).

Meanwhile, Advocate Aurora Health last August agreed to pay $12.25 million to settle consolidated civil class action claims that the Illinois-based hospital chain also invaded patient privacy by using tracking codes on its websites and patient portal. Advocate Aurora in October 2022 reported a HIPAA breach affecting 3 million individuals involving its prior use of web trackers (see: 3 More Healthcare Entities Report Website Tracking Breaches).

Meanwhile, Advocate Aurora Health last August agreed to pay $12.25 million to settle consolidated civil class action claims that the Illinois-based hospital chain also invaded patient privacy by using tracking codes on its websites and patient portal. Advocate Aurora in October 2022 reported a HIPAA breach affecting 3 million individuals involving its prior use of web trackers (see: Health Entity Says Tracking Code Breach Affects 3 Million).

Meta, meanwhile, also faces a consolidated class action lawsuit in a northern California federal court alleging that the social media giant is using its Pixel tracking tools to collect millions of individuals’ sensitive health data from healthcare provider websites and patient portals without patients’ knowledge or consent (see: Facebook Slapped With Another Health Data Privacy Lawsuit).

Federal regulators are also intensely scrutinizing the use of web trackers in health-related websites.

The Federal Trade Commission and the HHS last July jointly sent letters to 130 hospitals and telehealth providers warning of potential data privacy and security violations involving the use of online tracking technologies (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).

HHS OCR issued guidance in December 2022 also warning about the unlawful use of online trackers. The agency has said it is preparing to take HIPAA enforcement actions against entities in such cases.

But the American Hospital Association and three other organizations last November filed a federal lawsuit seeking to have HHS withdraw its guidance warning that the use of online trackers by hospitals potentially violates HIPAA (see: AHA Sues Feds Over Privacy Warning About Web Tracker Use).

Meanwhile, the FTC has taken enforcement actions against at least two telehealth providers – BetterHelp and GoodRx – plus mobile fertility app vendor Premom in cases involving those companies’ use of tracking tools that shared consumer’s sensitive health and personal information with third-party analytics and social media firms without individuals’ consent.

Also earlier this month, in a related development, the FTC in a proposed order banned data broker Outlogic, formerly X-Mode Social, from sharing or selling sensitive location data with third parties. The settlement follows allegations that the company had sold precise location data, potentially enabling the tracking of individuals visiting sensitive locations such as medical clinics, places of worship and domestic abuse shelters (see: Breach Roundup: FTC Bans Data Broker from Sharing Locations).