Natali_Mis/istock via Getty Imag

Third-party tracking tech lawsuits surge in healthcare

From class action lawsuits to regulatory pushback, third-party tracking tech remains a focus area in the healthcare privacy landscape.

High rates of data breaches and cyberattacks mean that healthcare is no stranger to lawsuits. According to a recent report from law firm BakerHostetler, the healthcare sector’s use of third-party tracking pixels and other web analytics tools has resulted in even more legal risk. Healthcare accounted for 28 percent of the more than 1,150 incidents the firm tracked in 2023.

What’s more, upwards of 200 lawsuits have been filed against healthcare organizations over their use of third-party web technologies, 75 percent of which were filed in 2023 alone.

The prevalence of tracking tech in healthcare was first brought to light in June 2022, when journalists discovered that a third of Newsweek’s top 100 hospitals in America had the Meta Pixel embedded into their sites. The pixel was allegedly sending a packet of data to Facebook whenever a visitor took a simple action like scheduling an appointment, which raised patient privacy concerns.

Now, nearly two years after this discovery, litigation is continuing to crop up, with most actions still at the initial pleadings stage, BakerHostetler said. The firm is aware of one case that was granted class certification, and another that was denied it. Several others have reached settlements.

“A trial is set for this summer for the action in which class certification was granted,” the report continued.

“This will be the first Healthcare Pixel Action trial in the nation, and its outcome will likely impact defense strategies in other class actions against healthcare entities.”

Simultaneously, the American Hospital Association (AHA) is moving forward with its lawsuit against the HHS Office for Civil Rights (OCR) over its December 2022 bulletin on the use of tracking tech. The AHA argues that the bulletin “exceeds the government’s statutory and constitutional authority, fails to satisfy the requirements for agency rulemaking, and harms the very people it purports to protect.”

The lawsuit largely takes issue with OCR’s stance that an IP address of a device that accesses a HIPAA-covered entity’s website constitutes protected health information (PHI). Despite pushback, OCR released an updated bulletin in March 2024 that doubled down on that position.

“Many of our clients have made the difficult decision to remove all third-party technologies from their webpages while they search for alternatives for keeping their websites functional and relevant without transmitting IP addresses to third parties,” BakerHostetler added. “This is not an easy task, as IP addresses are a component necessary for the Internet to work.”

In addition to providing insight into ongoing third-party tracking tech lawsuits in healthcare, the firm tracked OCR’s enforcement actions year over year, shedding light on the office’s focus areas. OCR settled four right of access cases in 2023, a significant decline from the 16 it resolved in 2022.

OCR also issued four enforcement actions related to hacks, compared to two in 2022. In total, OCR issued 14 resolution agreements in 2023, compared to 21 in 2022. This could signify a change in resource availability, or that the office is focused on other enforcement issues.

Overall, BakerHostetler’s data shows that both regulators and litigators were focused on healthcare data privacy and security in 2023, and that focus will continue throughout 2024.

Next Steps

Dig Deeper on HIPAA compliance and regulation