Skip to main content
Medical Record

The Lyon Firm Settles Christ Hospital Pixel Case For $7 Million

Written by Joseph Lyon on . Posted in Litigation Update, Lyon Firm In News.

The Christ Hospital Health Network, based in Cincinnati, Ohio, has agreed to a settlement of up to $7 million to resolve allegations that it improperly shared patient data through tracking technology embedded on its website and MyChart patient portal.

Joe Lyon of The Lyon Firm served as co-counsel in this case. 

The lawsuit accused the hospital of violating privacy laws by using online tracking tools—such as Meta Pixel and Google Analytics—that allegedly transmitted patients’ private information to third parties. While such tools are often used to enhance website performance and user experience, their use on healthcare portals can raise serious HIPAA compliance issues if data is shared without authorization.

How Website Tracking Tools May Violate HIPAA

Tracking technologies like pixels, cookies, and web beacons are standard across many industries to analyze traffic and improve marketing. However, when hospitals deploy these tools on platforms where patients log in or discuss health-related matters, sensitive health data may be exposed.

If identifiable patient information is sent to external entities like Meta or Google without a valid Business Associate Agreement (BAA) or direct patient consent, the healthcare provider may be in violation of HIPAA privacy and security regulations.

The Department of Health and Human Services’ Office for Civil Rights (OCR) has recently warned that the use of third-party tracking code on patient portals or appointment scheduling tools could amount to a reportable data breach under federal law.

Details of the Christ Hospital Pixel Litigation

Three separate lawsuits filed against The Christ Hospital were consolidated into a single action—In Re The Christ Hospital Pixel Litigation—in the Hamilton County Court of Common Pleas. Plaintiffs alleged that the hospital promoted its online platforms for scheduling appointments, accessing records, refilling prescriptions, and communicating with doctors, but failed to protect the privacy of patients using those tools.

According to the complaint, tracking code embedded in the hospital’s website and portal allegedly sent data about patient activities to Meta and Google, potentially revealing medical conditions such as cancer, pregnancy, or addiction.

The plaintiffs argued that this information was personally identifiable, as Meta could match data to users’ Facebook IDs, while Google could connect information through Chrome browsers and Android devices.

The claims included alleged violations of HIPAA, the Federal Trade Commission Act, and Ohio’s Wiretapping and Consumer Sales Practices laws, as well as claims for invasion of privacy, breach of confidence, negligence, and unjust enrichment.

Settlement Terms and Injunctive Relief

Without admitting wrongdoing, The Christ Hospital agreed to the settlement to avoid prolonged litigation. The agreement includes the establishment of a $4.5 million settlement fund to cover attorney fees, administration costs, and compensation to affected patients.

If payouts fall below the minimum of $37.50 per class member, the fund may increase by an additional $2.5 million, bringing the total settlement amount to $7 million. If total claims exceed that limit, payments will be reduced on a pro rata basis.

The hospital has also agreed to injunctive relief, promising to prevent Meta or any third party from accessing identifiable health information through its patient-facing platforms. This order will remain in effect for two years and applies to all portals, online forms, and health risk assessment tools.