The healthcare provider allegedly shared patient data with third parties via tracking tools.
What happened
LCMC Health Holdings and Louisiana Children’s Medical Center have agreed to settle a lawsuit over allegations that their use of tracking code on the LCMC Health website and patient portal shared sensitive user data with third parties like Facebook and Google without patient consent. The tools, including Meta Pixel, reportedly tracked user actions such as pages visited, buttons clicked, and form entries, transmitting this information to external platforms.
The case, Pebbles Martin v. LCMC Health Holdings, Inc. and Louisiana Children’s Medical Center, claims this data was used to deliver targeted ads and build detailed patient profiles. Although LCMC denies wrongdoing, it chose to settle the case to avoid prolonged litigation.
Going deeper
The use of Meta Pixel and similar tools by healthcare providers drew significant attention after the Department of Health and Human Services’ Office for Civil Rights (OCR) issued guidance warning that such tools likely violated HIPAA regulations. The guidance clarified that using tracking technologies on authenticated pages, like patient portals, would only be permissible under strict conditions: either a HIPAA compliant business associate agreement must be in place, or patients must give explicit authorization.
That guidance was later partially overturned by a judge, though the legal boundaries remain in flux. LCMC Health is one of several organizations facing lawsuits over similar alleged HIPAA violations.
What was said
LCMC Health has not admitted liability but agreed to a settlement that includes a $15 cash payment for affected individuals and a complimentary one-year subscription to Cyex Privacy Shield Pro. The settlement covers users who accessed the LCMC Health patient portal between January 1, 2019, and November 30, 2022.
Additionally, LCMC Health has agreed to refrain from using specific tracking tools on its website and portal for two years following final approval of the settlement. A final hearing is set for November 7, 2025.
The big picture
The LCMC settlement shows why healthcare organizations can’t wait for regulators to uncover compliance gaps. As the Paubox 2025 Healthcare Email Security Report notes, OCR warns that HIPAA-regulated entities must be “proactive in ensuring their compliance with the HIPAA Rules, and not wait for OCR to reveal long-standing HIPAA deficiencies.” These failures don’t just trigger legal action; they weaken patient confidence. The report adds that patients “must be able to trust that sensitive health information in their files is protected to preserve their trust in the patient-doctor relationship.”
FAQs
What is Meta Pixel, and why is it problematic in healthcare?
Meta Pixel is a tracking tool used to gather website analytics and user behavior. When placed on patient portals, it can inadvertently transmit protected health information to third parties, potentially violating HIPAA.
Why was the HHS guidance on tracking tools partially vacated in court?
The court ruled that certain parts of the HHS guidance exceeded the agency’s authority or lacked sufficient legal basis, though the core privacy concerns still stand. The ruling has introduced uncertainty into how HIPAA applies to tracking tech.
What does Cyex Privacy Shield Pro do?
It’s a privacy service that helps users monitor for data misuse, manage personal information online, and reduce exposure to future privacy breaches.
Can other healthcare providers still use tracking tools like Meta Pixel?
Yes, but only on public-facing pages or with explicit patient authorization or a valid business associate agreement. Use on login-protected portals without safeguards remains legally risky.
Farah Amod
