In October 2022, Advocate Aurora Health notified three million individuals of a data breach resulting from its use of tracking pixels on its website for tracking website visitor activity. Now, this month, Advocate Aurora Health settled a class action stemming from that data breach for $12.25 million.

In its breach notification to patients, Advocate Aurora Health stated that it had used third-party vendors to “measure and evaluate information concerning the trends and preferences of its patients as they use our websites,” which means the health care system was sharing IP address, locations, times of appointments, and communications within MyChart with these third parties without necessary consent or for an otherwise permissible purpose under the Health Insurance Portability and Accountability Act (HIPAA). Upon discovery of this disclosure, Advocate Aurora Health conducted an internal investigation to determine the scope of patient information that was being transmitted to its third-party vendors.

After the breach notification, many lawsuits were filed and eventually consolidated into a class action complaint. The class action complaint alleged that Advocate Aurora Health’s use of tracking pixels on its website “resulted in the invasion of Plaintiffs’ and Settlement Class Members’ privacy and other alleged common law and statutory violations.”

The $12.25 million settlement will be distributed to class members and to reimburse attorneys’ fees and other expenses. A recent study in Health Affairs found that third-party tracking technologies are being used on 98.6 percent of all U.S. non-federal acute care hospital websites. If your healthcare organization falls into this category, take this settlement and the many other pending pixel class action cases as a reminder to review your website’s use of pixels and other tracking technologies and to update your website privacy policies and data collection practices for compliance.

Photo of Kathryn Rattigan Kathryn Rattigan

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security…

Kathryn Rattigan is a member of the Business Litigation Group and the Data Privacy+ Cybersecurity Team. She concentrates her practice on privacy and security compliance under both state and federal regulations and advising clients on website and mobile app privacy and security compliance. Kathryn helps clients review, revise and implement necessary policies and procedures under the Health Insurance Portability and Accountability Act (HIPAA). She also provides clients with the information needed to effectively and efficiently handle potential and confirmed data breaches while providing insight into federal regulations and requirements for notification and an assessment under state breach notification laws. Prior to joining the firm, Kathryn was an associate at Nixon Peabody. She earned her J.D., cum laude, from Roger Williams University School of Law and her B.A., magna cum laude, from Stonehill College. She is admitted to practice law in Massachusetts and Rhode Island. Read her full rc.com bio here.