Advocate Aurora Health Pays $12.25 Million to Settle Pixel Lawsuit
Advocate Aurora Health has offered to pay $12.25 million as a settlement of a consolidated class action lawsuit filed due to the impermissible disclosure of patient information to third parties by using tracking technologies. Advocate Aurora Health was among the first HIPAA-covered entities to submit a Pixel-associated data breach report to the HHS’ Office for Civil Rights and inform patients about the impermissible disclosure of their protected health information (PHI) to unauthorized third parties using these tracking technologies.
Advocate Aurora Health previously utilized tracking technologies like Google Analytics, Meta Pixel, and other third-party resources on its site, patient website, and scheduling application. The tracking solutions were employed to acquire information concerning the usage of its site and application to better know patient demands and to enhance the services it offers. Since then, Advocate Aurora Health removed the tracking codes from its web page, LiveWell App, and MyChart patient portal. It made the decision to inform 3 million people who were possibly impacted and had some of their sensitive information exposed to third parties.
A number of lawsuits were submitted versus Advocate Aurora Health after its issuance of patient notification letters. The lawsuits were combined in one lawsuit, In Re Advocate Aurora Health Pixel Litigation. The following are the plaintiffs/class representatives: Shyanne John, Deanna Danger, Richard Webster, James Gabriel, Derrick Harris, Katrina Jones, Bonnie LaPorta, Amber Smith, Alistair Stewart, and Angel Ajani.
The $12.25 million settlement is supposed to settle the claims from all the combined lawsuits. 35% of that amount will pay for the attorneys’ fees. The class representatives will get a service award amounting to $3,500 each, and the rest of the settlement will be paid to class members’ claims pro rata. Individuals whose information was disclosed through the tracking codes may submit their claims from October 24, 2017 to October 22, 2022.
There is already preliminary approval of the settlement but the court will still release the final approval. Class members could still object to the settlement or be excluded from it. There is no schedule of the final fairness hearing yet.
Federal Judge Tentatively Okays Meta Pixel Medical Privacy Class Action
The federal judge has allowed the class action lawsuit filed against Meta due to the exposure of health information to proceed. The judge released a temporary order permitting the lawsuit to move forward since a number of the claims have been made by the plaintiffs; nevertheless, the number of claims was decreased by about half.
The combined lawsuit, John Doe v Meta Platforms Inc., filed in the U.S. District Court for the Northern District of California, claims that Facebook’s Meta Pixel tracking tool violated the plaintiff’s and class members’ medical privacy. The lawsuit claims that Meta is aware, or should have been aware, that the Pixel code was being utilized incorrectly on the web pages of hospitals. The lawsuit claims that around 664 hospital systems and healthcare providers were transmitting medical data to Facebook through the Meta Pixel code. Based on the lawsuit, the incorrect use of the tracking code led to the wrongful, re-direction to Facebook of patient messages to sign up as a patient, sign in or out of an apparently secure patient site, ask for or set visits, or get in touch with their provider through their computing device. The information was then employed to make and provide persons with personalized ads.
The HHS’ Office for Civil Rights affirmed in the guidance on HIPAA and tracking technologies released in 2022 that these tools may only be employed when a HIPAA-compliant business relationship exists with the tracking technology seller or when valid HIPAA authorizations were acquired. Since Meta isn’t a business associate and had not acquired HIPAA authorizations, the disclosures were impermissible as per HIPAA rules.
Meta mentions in its terms that partners must have a legal right to gather and share information prior to giving it to Meta. Meta contended that it is the web developers’ responsibility to make sure that proper permission is acquired before adding Meta Pixel on web pages and stated that it makes clear to web developers how they could satisfy their legal responsibilities when utilizing the Pixel tool. Meta attorney, Lauren Goldman states that there’s no statutory or common law doctrine that would permit the plaintiffs to inflict legal responsibility on Meta for the choice of third parties to transmit Meta data that it does not like, that it has contractually banned them from transmitting it.
U.S. District Judge William Orrick III rejected Meta’s motion to dismiss based on a few counts, permitting the lawsuit to continue for the supposed violations of government and state wiretap regulations, as the plaintiffs had adequately asserted that Meta did not do enough to stop the transmission of sensitive health information. Orrick found the plaintiffs had plausibly contended that the collection of information happened in California and Meta did not give enough burden of proof to demonstrate that Meta gave healthcare companies the consent to gather sensitive medical data.
The extraterritoriality, California Invasion of Privacy Act (CIPA), Wiretap Act, larceny claims, and unjust enrichment were advanced; nevertheless, Orrick allowed the motion to disregard the claims on privacy, contract, negligence per se, California Comprehensive Computer Data Access and Fraud (CDAFA) Act, trespass to chattels, Consumer Legal Remedies Act (CLRA), and Unfair Competition Law (UCL). The plaintiffs’ lawyers need to resubmit the lawsuit as a few of the privacy claims are short of detail regarding the types of data that were purportedly sent to Meta. The judge mentioned in the hearing at the San Francisco federal court that it will issue a final order soon.