The Christ Hospital Resolves Pixel Litigation for $2 Million

The Christ Hospital in Cincinnati, Ohio, has consented to pay around $7 million to resolve a consolidated class action lawsuit for using tracking tools on its MyChart patient portal. Using tracking tools on websites allows the recording of user data for website improvement. However, these tools frequently share the gathered information with third parties. The data can be connected with individual users and is used for advertising.

These tools are frequently employed on websites and applications, but healthcare providers can use them on websites that require users to sign in, so they can get the sensitive health information. When that data is sent to a third party with no valid business associate agreement, or when consent is not acquired to send the data to a third party, it’s a violation of HIPAA. Multiple class action lawsuits filed against healthcare companies that claimed violations of government and state legislation associated with the use of website tracking tools were resolved recently. A California Jury found Meta responsible in one of the lawsuits sent to trial.

The Christ Hospital faced three lawsuits over using these tracking tools. Because of overlapping claims, they were combined into one action, In Re The Christ Hospital Pixel Litigation, filed in the Court of Common Pleas, Hamilton County, Ohio. The combined lawsuit claimed that The Christ Hospital urged its patients to use its site online to schedule appointments, find facilities, communicate symptoms, look up medical data and treatment possibilities, enroll in classes, and access the patient site to check health records, get prescription refills, and fill in medical forms.

The website used tracking tools like web beacons, pixels, and cookies that gathered sensitive information and shared it with Meta and Google. The data shared on the website can enable third parties to identify a patient’s health condition, such as cancer, addiction, or pregnancy. The plaintiffs claim that the provider added these tools to the website, gathered information, and shared that information with third parties without their awareness or permission.

The data obtained by Meta Pixel was connected to people’s Facebook ID. Google got the information from the Google Analytics code, that could identify people through the Chrome Browser and Google gadgets, so the intercepted information are personally identifiable. The lawsuit stated using the tools is a violation of HIPAA & the FTC Act. State laws like the Ohio Consumer Sales Practices Act, and the Ohio Wiretapping law are also violated. The lawsuit additionally claimed breach of confidence, violation of privacy, unjust enrichment, breach of implied contract, and negligence.

The Christ Hospital does not admit to any wrongdoing; nevertheless, it opted to resolve the litigation to avert the risks and uncertainties linked to a trial. The terms of the settlement require The Christ Hospital to create a $4,500,000 settlement fund to pay for lawyers’ fees and expenditures, settlement management costs, class representatives’ service awards, cash payments, and CyEx’s Privacy Shield Pro memberships. In case, after paying for all of costs and expenses, the funds are not enough to pay class members at least $37.50, then the company should add $2,500,000 more to the settlement fund. If the payments will exceed $7 million, then claims will be paid pro rata.

The Christ Hospital likewise consented to injunctive relief and won’t transfer or allow Facebook to see or access demographic data, and individually identifiable health information subject to HIPAA. That means any data associated with the past, present, or future mental or physical health condition of a person, which distinguishes that person can be employed to identify that person. The injunctive relief is applicable to the Patient Portal, which includes forms and Health Risk Tests, for two years.