A class action settlement of $6.6 million has been reached in the matter of In re: Novant Health, Inc., Case No. 1:22-cv-00697, to resolve litigation stemming from a potential unauthorized protected health information (PHI) disclosure by Novant. In August 2022, Novant notified 1.3 million individuals that PHI may have been disclosed without authorization due to its use of Meta’s (Facebook) advertising services and associated tracking pixels.
Meta and similar companies use tracking pixels to measure a user’s interactions with a website or mobile application. In Novant’s case, tracking pixels were configured incorrectly and may have allowed access to tracking data from their electronic health record (EHR), which included names and appointment details.
This third-party tracking has become an emerging issue for health systems to follow as it may cause the unauthorized use of PHI to third-party vendors and both the HHS Office for Civil Rights (OCR) and the FTC have released guidance around tracking pixels and how the HIPAA rule applies.