Data Privacy
,
Data Security
,
Fraud Management & Cybercrime
NC Nonprofit Is Latest Organization to Resolve Claims Involving Online Trackers

North Carolina-based Atrium Health has agreed to pay $1.8 million to settle class action litigation stemming from its previous use of pixel tracking codes on its patient portal. Patients claimed the nonprofit health system unlawfully shared sensitive patient information with third-party firms including Meta and Google for marketing purposes.
See Also: OnDemand | Transform API Security with Unmatched Discovery and Defense
Atrium Health operates an academic medical center in Charlotte, North Carolina, 11 other hospitals and more than 900 care locations serving North and South Carolina. In 2024, Atrium Health told federal regulators its use of third-party tracking technology on its patient portal from January 2015 until July 2019, reporting the HIPAA breach as affecting nearly 586,000 individuals (see: How Healthcare Cyberattacks Broke Records in 2024).
Under the proposed settlement, Atrium Health will pay up to $1.8 million to resolve the lawsuit, with $1.5 million paying for $2,500 service awards to several class representatives, class counsel’s attorneys’ fees and expenses – which have not yet been finalized.
Administration costs and payments will go to a “Group 1” of class members who used their patient portal accounts between Jan. 1, 2015, and July 31, 2019, while the web trackers were installed.
Atrium Health has agreed to pay up to an additional $300,000 to “Group 2” patients who had a patient portal account between Jan. 1, 2015, and April 10, 2024, but didn’t access their account between Jan. 1, 2015, and July 31, 2019.
The amount of the payments to Group 1 and Group 2 claimants will depend upon the number of claims received. Group 2 claimants could potentially receive a payment of up to $10, but perhaps less.
Atrium Health didn’t immediately respond to ISMG’s request for comment on the settlement.
The Atrium Health breach was among dozens of HIPAA breaches reported to the U.S. Department of Health and Human Services in 2023 and 2024 by other healthcare sector organizations also related to their previous use of tracking pixels.
As in the Atrium Health breach, lawsuits filed by other patients alleged privacy invasion and other claims involving health and personal information that was captured on the healthcare organizations’ portals, websites and apps and transmitted to third parties without their patients’ knowledge or consent.
During the Biden administration, both HHS’ Office for Civil Rights and the Federal Trade Commission heavily scrutinized the use of web tracking tools in health-related websites and mobile apps (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).
Federal regulators released guidance materials in 2022 and 2024 that warned about potential HIPAA violations related to online trackers (see: Tracker Backtrack: Feds Revise HIPAA Guidance on Web Tools).
Besides the HIPAA warnings, the FTC issued several enforcement actions against telehealth companies during the Biden administration, including GoodRx and BetterHelp, related to their use of web trackers.
The proposed settlement of the Atrium Health lawsuit joins similar class action cases filed against healthcare organizations for their previous use of pixel codes on their websites, patient portals or mobile apps.
A federal California court last week signaled that it would grant final approval of a settlement worth up to $47.5 million to resolve similar alleged data privacy claims against Kaiser Permanente, which previously used web trackers.
Kaiser Permanente in 2024 reported to federal regulators a HIPAA breach affecting 13.4 million patients involving its previous use of trackers (see: Kaiser Permanente to Pay up to $47.5M in Web Tracker Lawsuit).
Since the HHS OCR’s warnings in 2022 and 2024 about online trackers, many HIPAA-regulated organizations drastically changed their use of the technologies, including dropping the tools altogether, or at least updating their notices and consent practices for patients, some experts said.
“Many healthcare organizations were unfamiliar with lawsuits related to website trackers, but upon seeing OCR’s bulletin, immediately ended the use of trackers or curtailed their use significantly,” said regulatory attorney Adam Greene of the law firm Davis Wright Tremaine.
While many healthcare organizations first learned of the risks of website trackers through OCR’s guidance and were primarily concerned about a potential HIPAA violation, class action lawsuits over the use of those technologies “remain the far bigger legal risk,” rather than regulatory enforcement at this point, he said.
“From what we have seen so far, the Trump administration seems significantly less focused on website trackers than the Biden administration was,” Greene said.
“We have not heard much from OCR on the issue recently, especially after a portion of their guidance was overturned in court, and the FTC has not brought another enforcement action after pursuing several of them in 2023 and 2024.”
