Timeline of events
Tracking Technology in Healthcare: Privacy and Legal Developments 2022-2023
A timeline of privacy and legal challenges in healthcare technology: Tracking the shift in digital health data laws from 2022 to 2023.
January 2022
Mass General Brigham faced a class action lawsuit, resulting in an $18.4 million settlement over unauthorized use of tracking technologies on their websites. This case highlighted the growing legal seriousness surrounding online privacy and medical data, even though no HIPAA violation was directly claimed.
June 2022
An investigation by The Markup revealed widespread use of Facebook Pixel on hospital websites, potentially violating HIPAA privacy rules by tracking patient appointment details and personal health information, leading to significant legal repercussions.
July 2022
Meta (Facebook's parent company) and several health systems were sued over allegations that the Facebook Pixel tool on their patient portals shared sensitive medical information, leading to targeted advertising and potential HIPAA violations.
August 2022
A federal lawsuit was filed against Northwestern Memorial Hospital and Meta for allegedly sharing patient health information for profit, seeking $5 million in damages and class-action status.
November 2022
Class-action lawsuits were filed against healthcare systems like Advocate Aurora Health and WakeMed for using Facebook tracking technologies, alleging the sharing of millions of patients' health information and profit-making from this data.
December 2022
The Department of Health and Human Services (HHS) revised its guidance on tracking technologies in light of the year's legal actions, clarifying the boundaries of HIPAA compliance and the impermissibility of using tracking tools that disclose PHI.
February 2023
The FTC fined GoodRx $1.5 million for deceptively sharing health information with third parties and falsely suggesting HIPAA compliance, highlighting the importance of privacy in health technology.
February 2023
Cedars-Sinai Medicine faced a lawsuit for using tracking technologies on its website, leading to accusations of sharing user health data with third parties and triggering targeted advertising, independent of Meta’s involvement.
March 2023
BetterHelp was fined $7.8 million by the FTC for misusing sensitive mental health information shared by users, demonstrating the consequences of breaching user trust in health technology.
May 2023
Premom was fined $100,000 by the FTC and ordered to cease sharing personal health data with third parties, a case distinct from HIPAA but still significant in terms of health information privacy.
July 2023
The FTC and HHS issued a joint warning to healthcare organizations about the risks of violating HIPAA due to the use of common web tracking tools, emphasizing the urgency of safeguarding patient health information.
December 2023
New York Presbyterian Hospital settled alleged HIPAA Privacy Rule breaches by paying $300,000 after it was found that tracking pixels on its website could transmit protected health information (PHI) to third parties. The hospital, serving around 2 million patients yearly, had implemented these trackers for marketing and faced scrutiny from a journalist and subsequently the NY Attorney General. While no admission of wrongdoing was made, the settlement requires NYP to adhere to strict privacy standards and conduct regular audits of third-party tools.
January 2024
Novant Health agreed to a $6.6 million settlement after a tracking pixel on its MyChart patient portal was found to share personal data with unauthorized third parties. The breach, affecting over 1.3 million individuals, was reported to the Office for Civil Rights, with Novant Health claiming no wrongdoing. The settlement offers compensation to users who accessed the portal between May 2020 and August 2022.
