Nonprofit health system, Adena Health System, based in southern and south central Ohio, decided to pay $17.8 million to settle allegations that it illegally shared patient records with third parties when it installed tracking codes on its MyChart patient portal.
Adena Health put codes like the Google Analytics and Meta Pixel code on its website to monitor visitors; these tools were also added to its patient portal, so when users log in, the credentials they encoded may be collected. The collected information may contain protected health information (PHI) and personally identifiable information (PII), which may be automatically transmitted to companies like Meta and Google.
The disclosures prompted the filing of a lawsuit that alleged the sharing of users’ data without their knowledge or permission. Patients can use the patient portal to schedule consultations, study health problems, understand treatment choices, and get in touch with their healthcare providers. The lawsuit claimed that the tracking tools collected information such as health ailments, preferred treatment, doctors’ information, and search queries and sent them to third parties. In case a user was using Facebook during that time, the lawsuit claimed the collection of the unique Facebook identifier as well, enabling personal identification of the user. The lawsuit states the tools were purposely added to the website, allowing Adena Health to profit from the data disclosures.
The lawsuit claimed negligence, invasion of privacy, breach of fiduciary duty, breach of confidence, unjust enrichment, and a violation of the Electronic Communications Privacy Act. The criminal action, which is sharing individually identifiable health information with a third party, is a civil liability. Adena Health did not admit to any wrongdoing or liability and did not agree with the claims and allegations presented in the lawsuit; nevertheless, it negotiated a settlement to end the litigation and steer clear of the risks and concerns with the trial and more litigation expenses.
Based on the terms of settlement, 89,000 class members are eligible to receive a $21 cash payment and credit monitoring and identity theft protection services for one year, worth $179 per individual. The eligible class members are those who accessed the patient portal from November 1, 2022 to June 3, 2024. The court is yet to approve the settlement.