The California hospital will pay to resolve claims that it shared sensitive user data with third parties through website tracking tools.
What happened
Pomona Valley Hospital Medical Center has agreed to a $600,000 settlement to resolve a class action lawsuit over its use of Meta Pixel and similar tracking technologies on its public website. Plaintiffs alleged that the hospital’s use of these tools resulted in unauthorized disclosures of personal information to third parties, including Meta (Facebook), in violation of wiretapping and privacy laws.
The hospital denies any wrongdoing or liability, but chose to settle in order to avoid the costs and risks associated with a trial and appeals. The case, Warren v. Pomona Valley Hospital Medical Center, was filed in California state court and has now received judicial approval for the settlement terms.
Going deeper
The class action applies to California residents who visited the hospital’s website and logged into the patient portal between January 1, 2019, and December 31, 2022. These users may have had their personally identifiable information, such as IP addresses, browsing behavior, and portal activity, transmitted to Meta via embedded tracking tools.
The $600,000 fund will be used to cover legal and administrative fees, as well as compensation to class members. Eligible individuals will receive a pro rata cash payment once all expenses are deducted, with options to receive their payment via check, PayPal, or Venmo.
What was said
Pomona Valley Hospital stated that the settlement does not constitute an admission of liability. The decision to settle was based on practical considerations, including the desire to avoid prolonged litigation.
The big picture
According to Renal & Urology News, “HIPAA governs how your data is used by providers and health insurers, but does not govern what individuals do with their data,” said Kevin Schulman, MD, Professor of Medicine at Stanford University. “To me, the issue is not laws but consumer awareness that they can now determine whom to share their data with, and should be sure that their apps and services are trusted vendors.”
Dr. Schulman added that “providers selling our data for advertising, directly or indirectly through trackers, is exactly what HIPAA was intended to prohibit.” His remarks reinforce the central issue raised by the Pomona Valley Hospital lawsuit that the use of website tracking tools in healthcare settings blurs the line between digital marketing and protected health data, exposing hospitals to serious compliance and ethical risks.
FAQs
What is Meta Pixel, and why is it problematic for healthcare organizations?
Meta Pixel tracks user interactions on websites, but in healthcare, it can capture data linked to patient portal activity or appointment behavior. When those identifiers are transmitted to external platforms, providers face potential HIPAA violations and state privacy claims.
Does HIPAA apply when tracking tools are placed on “public” pages?
Yes, when those pages connect to patient portals, online scheduling, symptom checkers, or any workflow that can reveal identifiable health information. Even if the page looks public, data flowing through it may still qualify as PHI.
How can providers determine whether they have a similar exposure risk?
Organizations should review all pixels, tags, analytics tools, and marketing scripts running across their domains. A technical scan paired with a legal and compliance review can identify whether any tools transmit IP addresses, URLs, or portal interactions to third-party vendors.
Can healthcare organizations still use analytics or marketing technologies?
They can, but only with controlled configurations. Tools should be vetted for HIPAA alignment, limited to non-PHI environments, and supported by safeguards that prevent the transfer of identifiers. Many systems are moving toward server-side analytics or consent-based models to reduce risk.
Farah Amod
