The University of Rochester has decided to pay $2.85 million to settle all claims associated with using tracking tools on its website and MyChart patient site. Like numerous healthcare organizations, the University of Rochester Medical Center (URMC) installed tracking tools on its website to gather data on the use of its website.
Tracking tools, usually called pixels, log user activities on websites, including the time of visit to specific pages, the hyperlinks and buttons that are clicked on, and any information inputted in search bars, chat, or text boxes. That data is linked to user IP address, Facebook ID, and device ID, and sent to third parties, allowing them to serve targeted ads on other websites.
The HHS’ Office for Civil Rights released instructions on website tracking codes in December 2022, making clear how to use these tools in compliance with HIPAA Rules. The guidance was questioned in court and was partly rescinded. The final decision allowed the use of the tracking codes on web pages, except on pages requiring authentication, for example, patient portals.
The University of Rochester manages URMC, a medical treatment and research center in New York. It has around 26,000 staff members and about 3,000 medical researchers. UMRC’s MyChart Patient Portal is accessible through its website, and patients can visit the portal to view their health data, contact URMC, and set appointments.
After knowing that the URMC website uses tracking tools, plaintiffs Bonnie Wilson and Carol Kane submitted a class action lawsuit in the U.S. District Court for the Western District of New York. The Kane v. University of Rochester lawsuit alleges illegal disclosure of their protected health information (PHI). According to the plaintiffs, they visited the URMC website and patient portal to get medical services and book doctors’ appointments without knowing that their sensitive data was being disclosed to third parties.
As per the lawsuit, from January 11, 2021 to January 11, 2023, the MyChart portal had two tracking tools: the Conversions Application Programming Interface (CAPI) and the Facebook tracking pixel (Meta Pixel). Back then, the URMC website expressed that URMC is dedicated to safeguarding patient privacy. Any data provided through the URMC website will not be shared with or sold to third parties. According to the URMC privacy policy, protected health information are not disclosed to third parties except if authorized by HIPAA, like for legal reasons or investigations, or when instructed by the patient with a written.
The lawsuit made several claims, such as breach of contract, bailment, breach of fiduciary duty, unjust enrichment, breach of confidence, and a breach of the Federal Wiretap Act. The court partially granted University of Rochester’s motion to dismiss; nevertheless, some claims were permitted to continue. URMC rejects all claims and disputes filed against it, which include the allegation that it installed tracking codes on the patient portal or electronic medical record system. Although URMC does not admit to any wrongdoing, it agreed to a settlement to avoid the expenditures and risks linked to an ongoing litigation.
The terms of the settlement state that individuals who visited the URMC website from January 2018 to June 12, 2023 can file a claim for settlement benefits. URMC will create a $2.85 million settlement fund to pay for attorneys’ fees, legal costs, and class representative service awards. After these deductions, the remaining settlement fund will be allocated equally to all class members who filed legal claims. The total cash payment will be divided according to the number valid claims submitted by the class members.
The court has released its preliminary approval of the settlement. The schedule of the final approval hearing is August 21, 2025. Those who want to submit a claim, object to or opt out of the settlement should do so on or before July 21, 2025.