Aurora Health Agrees To $12.25M Settlement in Tracking Pixel Suit
by Brian Eckert
Advocate Aurora Health Inc. has agreed to pay $12.25 million to settle a consolidated class action lawsuit that accuses the nonprofit healthcare system of sharing users’ personal information without their consent with third parties like Meta and Google through a tracking pixel.
Milberg attorneys Gary M. Klinger and Alexandra M. Honeycutt are serving as Class Counsel for the settlement, which now awaits final approval.
Timeline of Events
In October 2022, Advocate Aurora Health posted a data breach notification on its website alerting patients that their personal data was disclosed to third-party vendors. A filing with the U.S. Department of Health and Human Services indicated that 3 million people—its entire patient base—could be affected.
In the notice, Advocate Aurora explained that it installed tracking technology, including Meta Pixel and Google Analytics, on its website, app, and patient portal to “better understand patient needs and preferences.”
On August 11, 2023, Plaintiffs filed a motion for preliminary approval of their class action settlement with Defendant, which would conclude this litigation. Defendant does not oppose the motion.
The trackers used pieces of code called pixels to gather information provided to Advocate Aurora. However, the trackers also “transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” the health system said. Patient IP addresses, physical locations, names, appointment information, and other protected health information may have been exposed in the breach.
Following the breach notification, several class action lawsuits were filed against Advocate Aurora, including Milberg’s Shyanne John, et al. v. Advocate Aurora Health Inc. complaint. These lawsuits were later consolidated into In re: Advocate Aurora Health Pixel Litigation in U.S. District Court for the Eastern District of Wisconsin.
A settlement in principle was reached on June 2, 2023. On August 21, the court announced preliminary approval of the settlement.
Aurora Health Data Breach Proposed Settlement Terms
According to the preliminary approval order, the parties have agreed to certify a class of approximately 2.5 million individuals impacted by the Aurora Health data breach. The settlement will create a fund of $12.225 million, out of which payments to class members will be made.
- Class members are defined as anyone whose personal information or health information was or may have been disclosed to a third party without authorization or consent through tracking pixels on Aurora Health’s website, LiveWell app, or MyChart patient portal between October 24, 2017 and October 22, 2022.
- Within 30 days of the preliminary approval order, a list of settlement class members will be provided to the settlement administrator.
- Eligible class members can claim a payment of up to $50.
- Class members have until December 19, 2023 to opt out of the settlement. Those who do not opt out by this date will be bound to the terms.
- A final approval hearing is scheduled for March 8, 2024.
- Payments should be sent to settlement class members within 45 days of the settlement’s effective date.
Tracking Pixels Widespread on Hospital Websites
Third-party tracking technology deployed on hospital websites has been the subject of increasing cybersecurity and legal concerns.
A report co-published by The Markup and STAT found that Meta Pixel, a tracking code offered by Meta Platforms Inc., was being used on a third of Newsweek’s top 100 hospitals in America, as well as inside the patient portals of several health systems.
Meta Pixel tracks website users and logs their activity, such as which buttons they click, which pages they visit, and certain information they enter into forms. The collected data is shared with Meta and can be used for targeted advertising on Facebook and Instagram. Meta then provides website owners with analytics about the ads and tools for targeting website visitors.
Journalists discovered that 33 of Newsweek’s top 100 hospitals in the country were sending sensitive data to Facebook via the pixel.
The information transmitted via Meta Pixel is labeled with an IP address that, in combination with other data, can be used to identify an individual or household. HHS lists IP addresses as one of 18 HIPAA identifiers.
Web trackers have also drawn the attention of regulators. HHS and the FTC recently sent letters to 130 hospitals and telehealth providers warning that tracking technologies pose data privacy and security violation risks. The FTC has already taken enforcement action against telehealth providers over their use of web tracking tools to illegally share customers’ private data with third parties.
Milberg: A National Leader in Data Breach Class Actions
Milberg cybersecurity and privacy lawyers have filed hundreds of data breach lawsuits, won millions of dollars for data breach victims, lobbied for court decisions that benefit data breach class members, and helped to change the data security practices of large corporations.
Since 1965, Milberg has filed thousands of class action lawsuits and recovered billions of dollars for our clients. We pioneered class action litigation and continue to be a leading voice for consumer justice.