California hospital to pay $875K over Meta Pixel privacy lawsuit

Eisenhower Medical Center has agreed to settle claims that it improperly shared patient data through tracking tools on its website.

What happened

Eisenhower Medical Center, now known as Eisenhower Health, has agreed to an $875,000 settlement following a lawsuit that accused the hospital of disclosing sensitive patient information to third parties via website tracking tools. The lawsuit alleged that tools like Meta Pixel and Google analytics were embedded on its site without proper consent, resulting in unauthorized sharing of medical information with companies such as Meta and Google.

The lawsuit was filed in the U.S. District Court for the Central District of California under the case name B.K., et al. v. Eisenhower Medical Center. It claimed the hospital promoted various digital tools to enhance user engagement and revenue, while knowingly transmitting protected health information without authorization.

Going deeper

Tracking technologies like Meta Pixel are commonly used to analyze website traffic and user behavior. In this case, the lawsuit argued that data transmitted included individuals’ medical conditions, appointment details, and treatment information based on interactions with tools like MyChart and online scheduling forms.

The lawsuit listed 14 causes of action, including violations of California and federal privacy laws such as the Confidentiality of Medical Information Act and the Electronic Communications Privacy Act.

Although the hospital denies all wrongdoing, it agreed to settle to avoid the costs and risks of prolonged litigation.

What was said

As part of the settlement, Eisenhower Medical Center will:

• Create an $875,000 fund covering legal fees, administrative costs, and compensation for affected individuals.
• Pay no more than $288,750 in attorneys’ fees and up to $20,000 in litigation expenses.
• Offer class members (those who used the patient portal or forms between Jan 1, 2019, and May 3, 2023) a pro rata share of the remaining funds.

The hospital also agreed to suspend the use of tracking tools like Meta Pixel for at least two years. After that period, any future use will require clear, affirmative disclosure. A new Web Governance Committee will oversee future analytics and compliance efforts.

The big picture

According to the settlement website, “The Lawsuit claims that Defendant was responsible for the ‘Meta Pixel Disclosure,’” and lists multiple legal violations, including the California Confidentiality of Medical Information Act (CMIA), the Electronic Communications Privacy Act (ECPA), and the California Invasion of Privacy Act (CIPA). The suit also includes claims under California’s Unfair Competition Law, the state constitution, and several other statutes. It seeks relief for individuals “alleged to have been injured by the Meta Pixel Disclosure.”

FAQs

What is Meta Pixel, and why is it controversial in healthcare?

Meta Pixel is a tracking code used to monitor user activity on websites. In healthcare, it becomes controversial when it collects information about a user’s health status or interactions without proper authorization.

Are hospitals subject to HIPAA when using website tracking tools?

Yes. If tracking tools collect protected health information (PHI), hospitals must comply with HIPAA privacy and security rules even when the tools are provided by third parties.

Can patients opt out of this kind of data sharing?

Patients usually aren’t given clear options unless hospitals implement consent banners or disclosures. This case proves the need for more transparent user controls.

What is a Web Governance Committee?

It’s an internal team responsible for overseeing the use of website technologies to ensure they comply with privacy laws and internal policies. Eisenhower Health has agreed to maintain such a committee going forward.

What should other hospitals learn from this case?

Healthcare providers should audit all web tracking tools, ensure they are not sharing PHI without consent, and consider implementing clear disclosures or avoiding such tools altogether when dealing with sensitive health information.