Novant Health Settles $6.6 Million Pixel Privacy Breach Lawsuit
Novant Health decided to resolve a class action lawsuit associated with its usage of tracking pixels on its patient website. The pixel code on the patient website gathered the personally identifiable information of website users to enhance access to care using virtual visits and to give more access to deal with the restrictions of in-person care. The problem is the transfer of the collected data to third-party tech firms that were not permitted to access the information.
The first report of a pixel-associated HIPAA violation to the HHS Office for Civil Rights (OCR) is by the North Carolina Health System. In 2022, Novant Health stated the PHI of about 1,362,296 persons was shared with third parties, including Meta (Facebook) from May 1, 2020 to Aug. 12, 2022. The HIPAA breach report was submitted a few months before OCR published guidance about HIPAA and the use of tracking pixels and before it was confirmed that the use of pixel codes disclosed PHI to third parties.
Novant Health, including many health systems, put the pixel code on its patient website. Based on a study, 99% of U.S. hospitals put pixels or other tracking codes on their web pages, applications, or patient websites that collected visitor information and transmitted that information to third parties.
The Novant Health lawsuit was filed on behalf of 10 patients of Novant Health and individuals with similar situations who utilized the patient portal when the Meta Pixel code was installed. Allegedly, the health system committed an invasion of privacy, breach of contract, and violation of the HIPAA. Novant Health did not admit any wrongdoing and just decided to resolve the lawsuit to end the litigation and avoid the uncertainty of trial and legal expenses.
Novant Health values the privacy of patients’ personal data and is transparent in giving information to patients. The proposed settlement does not mean an admission of wrongdoing, as the court has cleared Novant Health of any wrongdoing.
As per the conditions of the settlement, class members or those who accessed the MyChart portal from May 1, 2020 to Aug. 12, 2022, are qualified to file claims. There is a $6.6 million settlement fund created by Novant Health. Claims are going to be paid pro rata after paying legal expenses, and attorneys’ fees. Another healthcare provider sued for using pixels or other tracking tools is Advocate Aurora Health, which paid $12.225 million to settle the lawsuit.
ReproSource Fertility Diagnostics Class Action Data Settled for $1.25 Million
ReproSource Fertility Diagnostics has offered a settlement to take care of litigation arising from a 2021 ransomware attack that likely led to the stealing of the sensitive health information of approximately 350,000 patients. The fertility testing laboratory based in Marlborough, MA under the ownership of Quest Diagnostics had its system breached on August 8, 2021. The ransomware attack was discovered on August 10. The forensic investigation revealed that the attackers could access the sections of the system containing files with sensitive health data.
The breached data included names, telephone numbers, addresses, email addresses, birth dates, billing, and health data like test requisitions and results, medical history data and/or test reports, CPT codes, diagnosis codes, medical insurance or group plan ID names and numbers, and other data given by patients or by treating doctors, and for some individuals, financial account numbers, Social Security numbers, passport numbers, driver’s license numbers, and/or credit card data.
Though there is no proof of data extraction found, data theft cannot be excluded. ReproSource informed around 350,000 persons on October 21, 2023, and was immediately sued. Two class action lawsuits were combined into one lawsuit because they have the same allegations about the negligence of ReproSource in failing to employ reasonable and proper cybersecurity procedures to stop unauthorized access to patient information. The lawsuits claimed violations of consumer protection legislation in Massachusetts, the Health Insurance Portability and Accountability Act (HIPAA), and the data breach notification law.
ReproSource decided to negotiate the litigation without admitting wrongdoing. Based on the conditions of the settlement, class members could file claims for as much as $3,000 to pay for up to 8 hours of lost time, out-of-pocket, unreimbursed costs that can be traced to the data breach, credit monitoring services for three years, and an identity theft insurance policy worth $1 million. Alternatively, class members could file a cash payment claim of $50. There is $1.25 million in funding set aside to pay for claims, which are paid pro rata of the total claims. Class members who lived in California during the breach are eligible to receive an extra $50 payment.
The combined lawsuit likewise wanted injunctive relief, including major upgrades to data security to avoid the same ransomware attacks and data breaches later on. The settlement additionally requires ReproSource to improve its data security program including its monitoring and detection applications. A Massachusetts judge is set to give final approval to the settlement.