Healthcare Organizations Using Web Trackers Are Facing Fines

At a Glance 

• $5.3M Settlement: Mount Sinai agreed to settle claims its web trackers shared patient data with Facebook; it denies wrongdoing. 

• Who’s Affected: Covers 1.3M MyChart users between Oct. 2020–Oct. 2023. 

• Bigger Picture: Part of a growing wave of lawsuits and regulatory scrutiny over healthcare web tracking tools. 

• Healthcare Organizations Must Be Aware of Web Tracking: There must be a clear understanding of what data is being collected and where it is transmitted. 

Web Tracking Privacy Claim Proves Costly for NYC Health System 

Mount Sinai Health System in New York City has agreed to pay nearly $5.3 million to settle a proposed class-action lawsuit related to its use of online tracking tools. 

The lawsuit alleged that Mount Sinai’s MyChart patient portal and main website shared patient data with Facebook through embedded tracking technologies without the knowledge or consent of patients. 

Mount Sinai has denied any wrongdoing and maintains that no medical information was disclosed. However, plaintiffs claimed that the hospital’s use of Facebook Pixel and Conversions API transmitted personally identifiable information (PII) and potentially sensitive health data, violating federal and state privacy laws. 

Who’s Included in the Settlement? 

According to court documents, the settlement class in the litigation against Mount Sinai consists of more than 1.3 million MyChart patient portal account holders who logged into their accounts between Oct. 27, 2020, and Oct. 27, 2023. 

Under the preliminary agreement: 

• Eligible class members who file valid claims will receive a share of the remaining fund after legal costs. 
• Attorneys’ fees are capped at 35% of the settlement fund (about $1.8 million). 
• Three lead plaintiffs are each set to receive $2,500 service awards. 
• A final approval hearing is scheduled for Nov. 3. 

Growing Scrutiny of Tracking Tools in Healthcare 

The Mount Sinai case is the latest in a wave of lawsuits targeting healthcare providers and app developers for using online tracking tools. 

• In July, BJC Health System in St. Louis agreed to pay up to $9.25 million to settle a proposed class action lawsuit also alleging that its use of online tracking tools in its patient portals sent sensitive patient information to third-party firms without patients’ knowledge or consent 

• In August, Flo Health, a consumer fertility-tracking mobile app maker, also agreed to settle a federal class action lawsuit that alleged the California-based company shared the sensitive data of millions of users without their consent with Google, Meta, and other firms. 

These cases highlight a growing concern: many healthcare organizations may be unaware that web trackers embedded in their portals and apps are quietly capturing and transmitting sensitive information. Read more about The Hidden Cost of Undisclosed Tracking Pixels: Lost Trust, Big Fines. 

Key Actions for Healthcare Organizations Using Web Tracking 

1. Scan and identify all active tracking pixels and scripts. 
2. Disable/remove trackers until data use is clearly understood. 
3. Involve cross-functional teams (marketing, IT, compliance, risk) in oversight. 
4. Confirm vendor agreements (BAAs) or use de-identification tools if BAAs aren’t available. 
5. Include trackers in risk analyses and maintain an updated inventory. 
6. Set policies and obtain consent where tracking is used; check state laws. 
7. Train staff and regularly monitor tracking tools. 

The Mount Sinai settlement emphasizes the increasing legal, regulatory, and reputational risks that healthcare organizations face when using web tracking technologies without adequate oversight. As regulators and courts continue to scrutinize the practice, providers and app developers should take proactive steps to evaluate their tracking tools, strengthen privacy safeguards, and ensure patients’ trust.