New York’s largest hospital network has agreed to a multi-million dollar settlement over claims it improperly shared patient data with Facebook.
What happened
Mount Sinai Health System will pay $5.3 million to resolve a class action lawsuit alleging it shared personal health information from its website and patient portal users with Facebook without their knowledge or consent. The allegations center on Mount Sinai’s use of tracking tools, including Facebook Pixel and Conversions API, between October 2020 and October 2023 on both its main website and MyChart patient portal.
Although Mount Sinai denied any wrongdoing and specifically refuted that medical information was shared, plaintiffs argued that the embedded tools collected personally identifiable information (PII) and transmitted it to Facebook, violating federal and state privacy laws.
Going deeper
The lawsuit, Cooper, et al., v. Mount Sinai Health System, Inc., was filed in the Southern District of New York by four individuals who claimed their health-related data was collected and shared without consent. The legal complaint included violations of the Electronic Communications Privacy Act and New York’s consumer protection laws, along with claims of negligence, invasion of privacy, and breach of implied contract, among others.
The lawsuit survived a motion to dismiss and moved into discovery. Following mediation, the parties agreed to a settlement in principle to avoid the risks and costs of a trial. The court has now granted preliminary approval of the settlement terms.
The settlement class includes over 1.3 million people who accessed their MyChart account via Mount Sinai’s website during the specified three-year period.
What was said
Mount Sinai maintains that no medical information was ever transmitted to Facebook. However, the plaintiffs argued that the combination of tracking tools and login activity created a digital trail that revealed sensitive user behavior, potentially including appointment types, login timestamps, and patient identifiers.
FAQs
What is the Facebook Pixel and Conversions API, and how do they work?
These are analytics tools that track user behavior on websites such as page visits or form submissions and send the data to Facebook to optimize advertising or analyze performance. When embedded in sensitive environments like patient portals, they may inadvertently collect identifying information.
Does HIPAA prohibit the use of tracking tools like Facebook Pixel on hospital websites?
HIPAA does not explicitly ban these tools, but healthcare providers must make sure that no protected health information (PHI) is disclosed to third parties without proper authorization or business associate agreements. Improper implementation can result in compliance violations.
How can patients know if a healthcare website is using trackers?
Patients can use privacy inspection tools or browser extensions to detect embedded trackers. Reviewing a site’s privacy policy may also reveal what data is collected and shared.
What are constructive bailment and unjust enrichment in this context?
Constructive bailment refers to the responsibility Mount Sinai had to safeguard personal data once it was in their possession. Unjust enrichment means the institution may have benefited (e.g., through analytics insights) at the expense of patients whose data was used without consent.
Farah Amod
