Is Your Hospital Sharing Your Data With Facebook? Tracking-Pixel Lawsuits Explained

Yes — your hospital may have been sharing your health data with Facebook without your knowledge or consent. A wave of class action lawsuits filed against healthcare providers across the United States has exposed a widespread practice: embedding Meta Pixel and similar tracking tools on hospital websites and patient portals, sending sensitive patient information to third-party advertising platforms in violation of federal privacy law. If you visited a hospital website or used a patient portal in recent years, your data may have been part of it.

What Is a Tracking Pixel — and How Does It End Up on a Hospital Website?

A tracking pixel is a small piece of JavaScript code, often invisible to the user, that monitors activity on a website. When a visitor clicks a link, views a page, or books an appointment, the pixel captures that interaction and transmits it — along with identifiers like an IP address, browser type, or user ID — to a third-party platform such as Facebook or Google.

Healthcare organizations began using these tools primarily for marketing purposes: to measure ad performance, build audience profiles, and optimize online campaigns. The problem is that when a pixel is embedded on a hospital website or a MyChart patient portal, the data it captures isn't just browsing behavior. It can include health-related information — such as the type of appointment a patient scheduled, the specialist they searched for, or the condition listed on a medical record page.

According to a 2022 investigation by The Markup, 33 of the top 100 hospitals in the United States had Meta Pixel installed on their online scheduling tools. Seven of those systems also had the pixel embedded inside password-protected patient portals. In follow-on litigation, plaintiffs identified at least 664 hospital systems and medical provider web properties where Facebook had received patient data through the tool without patients' knowledge or consent.

Why This May Violate Federal Law

The Health Insurance Portability and Accountability Act (HIPAA), codified at 45 C.F.R. Part 164, prohibits covered entities — including hospitals and health systems — from disclosing Protected Health Information (PHI) to third parties without a valid HIPAA authorization or a HIPAA-compliant Business Associate Agreement (BAA). Meta Platforms is not a HIPAA business associate of hospitals. No valid BAAs were in place. No patient authorizations were obtained.

In December 2022, the U.S. Department of Health and Human Services' Office for Civil Rights issued guidance confirming that regulated entities may not use tracking technologies in ways that result in the impermissible disclosure of PHI to tracking vendors. The guidance also clarified that IP addresses qualify as individual identifiers under HIPAA — meaning their transmission alongside health-related browsing activity constitutes a potential breach of the Privacy Rule.

Additionally, many lawsuits have cited violations of the federal Electronic Communications Privacy Act (ECPA), 18 U.S.C. § 2510 et seq., which prohibits the unauthorized interception and disclosure of electronic communications. The ECPA does not require a plaintiff to show PHI was disclosed — only that electronic communications were intercepted without authorization.

The Inova Health Settlement: A Case Study

One of the most recent cases to reach resolution is Lugo v. Inova Health Care Services, Case No. 1:24-cv-00700-PTG-WEF, filed in the U.S. District Court for the Eastern District of Virginia. Inova Health Care Services — a Virginia-based health system with five hospitals and more than 100 outpatient facilities — agreed to pay $3,147,390.04 to settle allegations that it used Facebook Pixel, Google Pixel, and similar technologies on its public-facing websites to collect and transmit patient information to third parties without authorization.

The lawsuit alleged that Inova's tracking tools captured data alongside unique identifiers such as Facebook IDs, User IDs, and Client IDs, enabling those third parties to connect sensitive health-related browsing activity to individual patients. Inova denied all wrongdoing and disputed that any PHI was disclosed under HIPAA, but agreed to settle to avoid the costs and uncertainty of continued litigation. As part of the settlement, Inova also committed to implementing remedial measures to bring its pixel practices into compliance with the ECPA and HIPAA.

The settlement class covered individuals who visited an Inova public-facing website between April 29, 2022 and April 29, 2024, and held an active Inova MyChart account during that period. The claim deadline for this particular settlement was April 6, 2026.

How Much Have Hospitals Paid in Tracking Pixel Settlements?

The Inova case is not an isolated example. Healthcare tracking pixel violations have cost U.S. providers more than $100 million in settlements and regulatory penalties since 2023. Notable resolved cases include:

The broader consolidated litigation — In re Meta Pixel Healthcare Litigation, filed in the U.S. District Court for the Northern District of California — continues to move forward against Meta Platforms itself, with plaintiffs seeking damages on behalf of millions of patients whose data was transmitted through provider websites.

The Legal Theories Behind These Lawsuits

Tracking pixel healthcare lawsuits typically allege violations under one or more of the following legal theories:

The Electronic Communications Privacy Act (ECPA) is the most commonly cited federal statute in these cases. Unlike HIPAA — which applies only to covered entities and does not provide a private right of action — the ECPA allows individuals to sue for damages when their electronic communications are intercepted or disclosed without authorization. Courts have disagreed on the scope of ECPA liability for pixel-based data collection, but several have allowed claims to proceed.

State consumer protection statutes have also been invoked in many cases. California plaintiffs, for example, have brought claims under the California Invasion of Privacy Act (CIPA) and the California Consumer Privacy Act (CCPA), which provide independent private rights of action for unauthorized data collection.

Finally, some plaintiffs have pursued common law claims for invasion of privacy, breach of implied contract, and unjust enrichment — arguing that hospitals implicitly promised patients that their information would remain confidential.

What Data Was Actually Transmitted?

The specific data transmitted through tracking pixels varies depending on where the pixel was installed and what user actions it was configured to capture. In authenticated patient portals — such as MyChart — the data stream could include:

1. The type of medical appointment requested or scheduled
2. The name of the physician or specialist searched
3. Symptom-related search terms entered on the site
4. The patient's IP address, User ID, and browser fingerprint
5. Medication names or health conditions visible on the page

When this data reaches Facebook's servers, the platform's systems can match it against Facebook user profiles using the IP address and other identifiers — meaning advertisers can then serve that patient with targeted ads related to the very health condition they sought care for.

How to Check If a Hospital You Visited Was Affected

There is no single federal registry of hospitals currently under pixel-related class action litigation. However, several steps can help you determine your exposure. You can review the HHS Office for Civil Rights Breach Portal, which publishes reports filed by covered entities for breaches affecting 500 or more individuals. You can also monitor settlement announcements at platforms like ClassAction.org and TopClassActions.com. If you have received a notice in the mail from a hospital or health system, that notice likely qualifies you for participation in a pending settlement.

Consumers who believe their health data was shared through a tracking pixel without consent and who have not yet received any notice may also benefit from consulting a consumer protection attorney — particularly if they noticed an increase in health-related targeted advertising after visiting a healthcare website. An attorney can evaluate whether you have a viable ECPA or state-law claim and whether a class action is pending that covers your situation. Consumer protection attorneys typically handle these cases on a contingency basis, meaning no fees are owed unless compensation is recovered. You can search for a consumer protection attorney on AttorneyReview.com to find qualified legal counsel in your area.

What the Ongoing Meta Pixel Litigation Means for Patients

The litigation against Meta Platforms itself — John Doe v. Meta Platforms, Inc., currently pending in the Northern District of California — has survived multiple motions to dismiss and is proceeding toward class certification. In April 2025, a federal magistrate judge ordered Meta CEO Mark Zuckerberg to sit for a deposition, finding that discovery showed he was the "final decisionmaker on all consequential privacy decisions," including those involving data collection and user privacy. That ruling signals the litigation is serious, well-resourced, and unlikely to resolve quickly.

The scale of potential liability is substantial. Privacy-related class action complaints have increased by 200% since 2022, according to attorneys at Keller Rohrback who track digital litigation trends. In 2025 alone, more than 3,000 data breach class actions were filed in federal courts across the country, as reported at the IAPP Global Summit 2026. Healthcare is consistently among the most-targeted sectors, given the sensitivity of the data involved and the strength of the legal frameworks that apply to it.

What Hospitals Are Required to Do Going Forward

The HHS Office for Civil Rights has made clear that hospitals and other covered entities must obtain a HIPAA-compliant BAA with any tracking technology vendor before deploying that vendor's tools in authenticated environments. For publicly accessible pages that do not require login, the analysis is more nuanced, but the December 2022 OCR bulletin placed all covered entities on notice that any tracking tool capable of capturing PHI — including IP addresses in combination with health-related content — requires careful scrutiny.

In response to ongoing regulatory pressure, many health systems have begun auditing their third-party vendor relationships, updating privacy policies, and replacing native tracking technologies like Meta Pixel with HIPAA-compliant analytics platforms that do not transmit identifiable health information to advertising networks. However, the prior collection window — typically spanning 2020 through 2024 — remains the basis for most active class actions.

Frequently Asked Questions

What is a tracking pixel?

A tracking pixel is a small piece of code embedded on a website that monitors user behavior — including pages visited, forms submitted, and actions taken — and transmits that data to a third party such as Facebook or Google, often for advertising purposes.

Is using a tracking pixel on a hospital website illegal?

Not automatically. But when a tracking pixel on a hospital website or patient portal captures and transmits Protected Health Information to a third party without a valid HIPAA authorization or Business Associate Agreement, it may violate HIPAA. It may also violate the federal Electronic Communications Privacy Act (ECPA) and various state privacy laws.

What law protects my health data online?

HIPAA (45 C.F.R. Part 164) protects PHI held by covered entities. The ECPA (18 U.S.C. § 2510 et seq.) prohibits unauthorized interception of electronic communications. State laws — such as California's CIPA and CCPA — may provide additional protections and independent rights of action.

Can I sue a hospital for sharing my health data?

HIPAA does not provide a private right of action, meaning individuals cannot sue directly under HIPAA. However, affected patients may bring claims under the ECPA, state consumer protection statutes, or common law theories of invasion of privacy. Many pixel-related claims are being pursued as class actions.

What is the Inova Health settlement?

Inova Health Care Services agreed to pay $3,147,390.04 to resolve a class action (Lugo v. Inova Health Care Services) alleging it used tracking pixels to share patient data with Facebook and Google without consent, in violation of the ECPA. The settlement covered patients who visited Inova websites between April 29, 2022 and April 29, 2024 and had an active MyChart account.

What was the Advocate Aurora Health settlement?

Advocate Aurora Health agreed to a $12.25 million settlement resolving claims that it exposed approximately 3 million patients' data to Meta and Google through tracking pixels installed on its website, app, and MyChart portal between 2017 and 2022.

How do I know if my data was shared?

If you received a data breach or settlement notice by mail from a hospital or health system, you likely qualify for a pending settlement. You can also check the HHS Office for Civil Rights Breach Portal and class action settlement tracking websites for cases involving hospitals you have visited.

Is Meta being sued for this as well?

Yes. The consolidated case In re Meta Pixel Healthcare Litigation is pending in the U.S. District Court for the Northern District of California. It survived multiple dismissal motions and is proceeding toward class certification. In April 2025, a court ordered CEO Mark Zuckerberg to sit for a deposition in the case.

What compensation can I receive from a pixel tracking lawsuit?

Compensation varies widely depending on the settlement. In the Inova case, class members were eligible for a pro-rata share of the net settlement fund. In larger cases like Advocate Aurora, eligible patients could claim up to $50. Some settlements also include credit monitoring services or privacy protection subscriptions.

Do I need a lawyer to join a class action?

No. Most class action settlements do not require individual legal representation to file a claim. However, consulting a consumer protection attorney is advisable if you believe you suffered significant individual harm, if you are unsure whether you are covered by an existing settlement, or if you want to evaluate whether to opt out and pursue an independent claim.

What is HIPAA's BAA requirement?

A Business Associate Agreement (BAA) is a written contract required under HIPAA (45 C.F.R. § 164.504(e)) before a covered entity may share PHI with a vendor or service provider. If a hospital uses tracking technology from a company that is not a HIPAA-compliant business associate with a signed BAA, any disclosure of PHI to that company may constitute a HIPAA violation.

What should I do if I think my health data was illegally shared?

Review any mail or email notices from healthcare providers about data incidents. Check open class action settlement databases. Consider consulting a consumer protection attorney to assess your legal options. You can also file a complaint with the HHS Office for Civil Rights at hhs.gov/hipaa/filing-a-complaint.

Disclaimer

This content is for general informational purposes only, is not legal advice, and does not create an attorney-client relationship. Joy Coleman is licensed in Georgia and New Jersey and is not licensed to practice law in Virginia or any other state mentioned in this article. Readers should consult a qualified attorney licensed in their jurisdiction.

If you believe your health data was shared without your consent, you may have legal options. Search for a consumer protection attorney on AttorneyReview.com to find a qualified lawyer near you.

Take the next step and use our Get Matched feature to be connected with a pre-screened consumer protection attorney for a free consultation.