Atrium Health Settles Web Tracker Lawsuit for $1.8 Million
Atrium Health will pay $1.8 million to resolve a class action lawsuit alleging its patient portal unlawfully shared sensitive health data with third parties like Meta and Google.

North Carolina-based Atrium Health has agreed to a $1.8 million settlement to end a class action lawsuit that accused the nonprofit health system of violating patient privacy through the use of pixel tracking codes on its patient portal. The lawsuit contended that these trackers unlawfully transmitted sensitive patient information to third-party advertising firms, including Meta and Google, for marketing purposes, thereby infringing upon privacy regulations.
Atrium Health, which operates an academic medical center in Charlotte and numerous other care locations across North and South Carolina, had previously disclosed to federal regulators that its use of third-party tracking technology on its patient portal between January 2015 and July 2019 resulted in a HIPAA breach affecting nearly 586,000 individuals. This period aligns with the timeframe when the alleged data sharing occurred.
The proposed settlement outlines a payment of up to $1.8 million. A significant portion, $1.5 million, is allocated for service awards to class representatives, attorneys' fees, and expenses. The remaining funds will be distributed to two groups of class members. 'Group 1' consists of patients who used their portal accounts during the period the trackers were active (January 1, 2015, to July 31, 2019), while 'Group 2' includes those who had an account but did not access it during that specific tracking window, extending to April 10, 2024.
Payments to claimants in both groups will be contingent on the total number of claims submitted. Group 1 members are expected to receive a more substantial portion, while Group 2 claimants might receive up to $10, though the final amount could be less. Atrium Health has not yet issued a public comment regarding the settlement.
This case is one of many HIPAA breaches reported by healthcare organizations in recent years, often linked to the use of tracking pixels on patient portals, websites, and mobile applications. Similar lawsuits have alleged that patient health and personal information was captured and transmitted to third parties without explicit consent.
Federal regulators, including the HHS' Office for Civil Rights and the Federal Trade Commission, have intensified their scrutiny of web tracking tools in the healthcare sector. Guidance issued in 2022 and 2024 warned about potential HIPAA violations, and the FTC has pursued enforcement actions against telehealth companies for their use of such technologies.
The Atrium Health settlement follows similar class action cases against other healthcare providers, such as Kaiser Permanente, which is facing a potential $47.5 million settlement for its use of web trackers. Many healthcare organizations have since revised their practices, either discontinuing the use of trackers or enhancing patient consent and notification procedures.
Legal experts note that while regulatory enforcement is a concern, class action lawsuits represent a more significant legal risk for healthcare organizations regarding the use of website trackers. The focus on this issue by federal administrations has varied, with the current administration showing less emphasis compared to the previous one.