From Clicks To Claims: Ad Tracking Lawsuits Target Healthcare Providers

May 13, 2026

Adena Health System, a nonprofit health system in Ohio, has agreed to pay $17.8 million to resolve a class action containing allegations that it improperly shared patient information with third parties through online ad-tracking tools.

The lawsuit contains allegations that Adena deployed Meta Pixel and similar tracking code on its MyChart patient portal and other web properties, allowing personally identifiable information and protected health information to be transmitted to companies such as Meta and Google without valid authorization.

Data allegedly disclosed included names, contact details, appointment information, IP addresses and details about interactions with the portal. Adena denied wrongdoing but agreed to the settlement, which still requires court approval and would provide cash payments to affected patients and fund remedial measures.

The case is one of several recent class actions targeting healthcare organizations for their use of online tracking technologies that may expose sensitive patient data to advertisers and analytics providers.

Source: https://healthexec.com/topics/health-it/cybersecurity/nonprofit-health-system-agrees-18m-settlement-over-use-ad-trackers

Commentary

The Adena settlement highlights how ordinary marketing tools can become high-stakes litigation risks when they collect or transmit information that regulators or patients (and their lawyers) view as protected health information.

Healthcare organizations should assume that any ad tracker, pixel, analytics tag or session-replay script on a patient-facing site or portal is discoverable in litigation and will be scrutinized against HIPAA, state privacy laws, and consumer-protection standards.

Loss prevention begins with a complete inventory of all web and app tracking technologies, followed by a legal and technical assessment of what data each tool captures, where it sends that data, and under what contractual safeguards.

Where tracking tools are not essential to care delivery, organizations should remove or heavily restrict them, especially on authenticated portals and pages that reveal conditions, treatments or appointment details.

For tools that remain, risk can be reduced by strong de-identification, strict configuration to avoid capturing PHI, updated notices and consent flows, and vendor agreements that clearly prohibit secondary use of any health-related data.

Regular audits and collaboration between marketing, IT, compliance and legal teams are essential to keep tracking practices aligned with evolving enforcement and class action trends.

Finally, your opinion is important to us. Please complete the opinion survey:

What's New

Threat Mapping: Connecting Daily Work To Cyber Risks

A survey reveals IT personnel are unable to effectively "threat map", which leaves them vulnerable. We comment on how linking routine tasks to specific cyber risks (threat mapping) empowers employees to recognize danger and help limit loss.

Stopping Ex-Employees From Logging In: A Practical Playbook For Employers

A survey reveals ex-employees are still using passwords. We comment on concrete measures such as MFA, access reviews, and verification testing, which can help prevent past employees from silently retaining or regaining access to company systems.

Why Online Criminals Target Business Tools And Productivity Apps

We comment on why online criminals increasingly concentrate their efforts on business tools and productivity applications.

Latest Numbers

  • Unemployment Rate
    4.3% in Jan 2026
  • Payroll Employment
    +130,000(p) in Jan 2026
  • Average Hourly Earnings
    +$0.15(p) in Jan 2026
  • Employment Cost Index (ECI)
    +0.7% in 4th Qtr of 2025
  • Productivity
    +4.9% in 3rd Qtr of 2025

Source: Department of Labor