Allina Health System, a nonprofit health system serving Minnesota and Western Wisconsin, has agreed to pay $12.5 million to settle a class action lawsuit over its use of website tracking technologies — including pixels from Meta (Facebook), Google, and other third parties — on its patient portal and website from 2018 through 2026.
What happened
The lawsuit alleged that Allina Health deployed tracking pixels on its patient-facing websites and MyChart patient portal that transmitted protected health information (PHI) — including patients’ names, diagnoses, appointment details, and prescription information — to Meta, Google, and other advertising platforms without patients’ knowledge or consent. These tracking technologies allowed third-party platforms to build detailed profiles of patients based on their healthcare interactions.
This case is part of a wave of pixel-related litigation that has swept the healthcare industry following the 2022 Supreme Court decision in TransUnion LLC v. Ramirez and subsequent federal guidance from the HHS Office for Civil Rights (OCR) warning that tracking technologies on healthcare websites may violate HIPAA. Health systems including Advocate Aurora, Novant Health, and Atrium Health have faced similar class actions.
Settlement details
The $12.5 million settlement fund will cover class member claims, attorney fees, and administrative costs. Class members — anyone who used Allina Health’s patient portal or website during the relevant period — may file claims for compensation. Allina Health has also agreed to remove third-party tracking pixels from its patient-facing digital properties and implement enhanced privacy protections going forward.
Implications for healthcare organizations
- OCR’s July 2023 bulletin explicitly states that tracking technologies on authenticated patient portals can result in impermissible PHI disclosures under HIPAA
- Health systems should conduct a comprehensive audit of all tracking technologies (Meta Pixel, Google Analytics, LinkedIn Insight Tag, etc.) on patient-facing websites
- Third-party risk management programs must account for data-sharing via tracking scripts embedded in websites, not just traditional vendor relationships
- The $12.5M settlement signals that these cases carry significant financial exposure — pixel-related settlements have now exceeded $50M across the industry
