Advocate Aurora Reaches $12.25M Settlement to Resolve Data Breach Lawsuit

August 22, 2023 - Advocate Aurora Health reached a $12.25 million settlement to resolve a data breach lawsuit. As previously reported, Advocate Aurora Health disclosed a data breach in October 2022 that impacted 3 million individuals and stemmed from the health system’s use of tracking pixels, which are common tools used for tracking website visitor activity.

Third-party tracking tech on hospital websites has resulted in numerous data breaches in the past year, sparking concerns about how this tech can be used in a compliant and secure manner, if at all.

In the case of Advocate Aurora, the nonprofit health system explained in its breach notification that it had used the services of several third-party vendors to “measure and evaluate information concerning the trends and preferences of its patients as they use our websites.”

Further investigation revealed that these third parties were potentially receiving sensitive information pertaining to site visitors, including IP addresses, locations and times of scheduled appointments, and communications within MyChart.

Advocate Aurora Health disabled the pixels and launched an internal investigation in order to “better understand what patient information was transmitted to our vendors.”

Following the breach notification, several lawsuits were filed and later consolidated into a class action complaint. The complaint alleged that Advocate Aurora’s use of tracking pixels “resulted in the invasion of Plaintiff’s and Settlement Class Members’ privacy and other alleged common law and statutory violations.”

Advocate Aurora denied the allegations and sought to settle the case to avoid further litigation. The $12.25 million will go toward settlement class members and will cover attorneys’ fees and other expenses.

As organizations continue to face the aftermath of data breaches stemming from pixel use, lawsuits and settlements like this one may become more common. Law firm BakerHostetler’s 2023 Data Security Incident Response Report (DSIR) observed more than 50 tracking tech-related lawsuits being filed against hospital systems in 2022, even declaring 2022 “the year of the pixel.”

What’s more, a recent study published in Health Affairs found third-party tracking technologies on 98.6 percent of all US nonfederal acute care hospital websites. The dozens of lawsuits filed in the wake of these breach notifications, along with explicit warnings and guidance from HHS and the Federal Trade Commission, show that consumers and regulators are taking note of this trend.