Getty Images/iStockphoto

Novant Health Reaches $6.6M Settlement Over Improper PHI Disclosures

In August 2022, Novant Health notified 1.3 million patients that its use of Meta pixel code had potentially led to unauthorized PHI disclosures.

Novant Health agreed to pay $6.6 million to settle a class action lawsuit surrounding improper disclosures of protected health information (PHI) due to the health system’s use of third-party tracking tech.

In August 2022, North Carolina-based Novant Health notified 1.3 million individuals that its use of Meta pixel code had potentially led to the unauthorized disclosure of PHI.

In its initial notice to patients, Novant Health explained that it launched a promotional campaign in May 2020 to connect more patients to its Novant Health MyChart patient portal.

“This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook,” the notice explained.

“A pixel is a piece of code that organizations commonly use to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

The impacted information potentially included contact information, appointment details, computer IP addresses, information entered into free text boxes, and button and menu selections.

Novant Health said it disabled the pixel as soon as it became aware that the pixel code could have been improperly transmitting information to third parties.

A subsequent class action lawsuit claimed that Novant Health’s unauthorized PHI disclosures were “intentional, reckless, and negligent.”

“At all times that Plaintiffs and Class Members visited and utilized Defendant’s website and MyChart portal, they had a reasonable expectation of privacy that Private Information collected through Defendant’s website and contained within the MyChart portal would remain secure and protected and only utilized for medical purposes,” the complaint stated.

“Plaintiffs and Class Members provided Private Information to Defendant in order to receive medical services rendered and with the reasonable expectation that Defendant would protect their Private Information. Plaintiffs and Class Members relied on Defendant to secure and protect the Private Information and not disclose it to unauthorized third parties without their knowledge or consent.”

Novant Health denied all claims but both parties agreed to the settlement to avoid continuing litigation. Novant Health is not the first to reach a settlement over its use of third-party tracking tech. Advocate Aurora Health reached a $12.25 million settlement to resolve similar allegations in August 2023.

As pixel fallout continues, healthcare organizations may continue to face lawsuits over their use of third-party tracking tools.

Next Steps

Dig Deeper on Health data access & privacy