Goshen Health System, operating as Goshen Health Hospital in Indiana, reached a class action settlement after facing allegations that its website’s tracking technologies leaked patient information to third parties like Meta without authorization.
What happened
The complaint, Kaitlin Lamarr v. Goshen Health System, Inc., was filed on May 23, 2023, in the Elkhart County Superior Court and targeted the health system’s alleged deployment of website tracking tools that captured user interactions, login behavior, and potentially sensitive patient-identifying details linked to the portal environment.
The lawsuit claimed consumers were never told these tracking tools were collecting and transmitting data, nor did they give informed consent. Plaintiffs alleged this amounted to negligence, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, and violations of both the Indiana Deceptive Consumer Sales Act and the Indiana Wiretapping Act. Each claim rested on the argument that when patients log in to a healthcare portal, they reasonably expect confidentiality, not third-party surveillance embedded through analytics scripts.
Going deeper
Goshen Health denied wrongdoing, maintained that it never intentionally shared protected information, and argued that the legal theories lacked merit. The defense emphasized confidence that it would prevail at summary judgment or trial. However, the organization ultimately chose to settle, citing litigation risk, mounting costs, and uncertainty. Settling eliminated the long legal battle and shifted resources toward operations instead of courtroom fights. Plaintiffs and class counsel described the settlement as reasonable, fair, and in the best interests of affected individuals.
The settlement class includes all individuals who logged into the Goshen Health patient portal between January 1, 2020, and December 31, 2023, a period that mirrors the timeframe of widespread use of tracking pixels across the healthcare industry before OCR’s 2022 public guidance warned that tracking technologies on patient-facing pages could lead to impermissible disclosures of protected health information.
The court granted preliminary approval, with the claim submission deadline set for November 29, 2025, followed by a final fairness hearing scheduled for December 16, 2025. Final approval would operationalize payments and privacy tool distribution, completing one of the notable 2025 resolutions in the rapidly expanding category of healthcare tracking-technology lawsuits.
What was said
The HHS offers the following guidance on the use of tracking technologies for covered entities: “Regulated entities may have user-authenticated webpages, which require a user to log in before they are able to access the webpage, such as a patient or health plan beneficiary portal or a telehealth platform. Tracking technologies on a regulated entity’s user-authenticated webpages generally have access to PHI. Such PHI may include, for example, an individual’s IP address, medical record number, home or email addresses, dates of appointments, or other identifying information that the individual may provide when interacting with the webpage. Tracking technologies within user-authenticated webpages may even have access to an individual’s diagnosis and treatment information, prescription information, billing information, or other information within the portal.”
See also: HIPAA Compliant Email: The Definitive Guide (2025 Update)
FAQs
What are tracking web technologies?
Tracking web technologies are small pieces of code that monitor how users interact with a website.
Why are tracking pixels risky for healthcare websites?
Tracking pixels are risky because they can capture and transmit PHI linked to a patient’s online activity.
What does Meta Pixel do on a website?
Meta Pixel records page views, clicks, and form interactions for analytics and advertising.
Kirsten Peremore
