Dozens of hospital systems embedded advertising tracking code inside the MyChart patient portal, quietly transmitting sensitive health data to Meta and Google without telling patients. The data included appointment details, medical messaging, test result activity, and personally identifiable information — all sent to advertising companies without consent.
The lawsuits are not a single unified case. They are a collection of separate class actions, each targeting a specific hospital system that deployed the tracking technology. Cases were filed across multiple federal courts beginning in 2022. Several have settled, with cumulative settlement funds now exceeding $40 million. Others remain active in litigation as of mid-2026.
- What: Hospital systems used Facebook Pixel and Google tracking tools inside MyChart portals to transmit patient health data to advertisers without consent.
- Who: MyChart patients across dozens of hospital systems vs. those individual health systems (and in some cases, Epic Systems)
- Status: Multiple settlements reached and finalized; several cases still in active litigation as of 2026
- Injuries: Unauthorized disclosure of protected health information, HIPAA violations, Electronic Communications Privacy Act violations
- Settlement: Cumulative settlements exceed $40M across all cases; individual payouts range from $30 to $85 depending on the case
- Eligibility: Patients who used MyChart through a named health system during the relevant date window for each settlement
- Key date: Duke Health claim deadline: August 16, 2026; Catholic Health System hearing: April 23, 2026
What the MyChart Pixel Tracking Lawsuits Allege
The core allegation across every case is the same. Hospitals embedded a small piece of JavaScript code, known as Meta Pixel or Facebook Pixel, into their websites and MyChart patient portals. That code was designed for advertising analytics. It tracked what users clicked, viewed, and interacted with, then silently sent that behavioral data back to Meta.
When a patient logged into MyChart and navigated to a page about their test results, their appointment, or a specific medical condition, the pixel recorded that activity. Meta received it. The patient never consented to any of this. The hospitals never disclosed it.
The lawsuits allege this violated the federal Health Insurance Portability and Accountability Act, which prohibits covered entities from sharing protected health information with third parties without authorization. They also cite the Electronic Communications Privacy Act, which prohibits the unauthorized interception of electronic communications. Several cases additionally invoke state-level privacy statutes, including California’s Confidentiality of Medical Information Act.
How This Started: The Markup Investigation That Triggered a Legal Wave
The litigation traces directly to a June 2022 investigation by The Markup, a nonprofit newsroom focused on technology accountability. Researchers found that 33 of the top 100 hospitals in the United States had embedded Meta Pixel on their public-facing websites. Some had placed it inside password-protected patient portals.
The findings landed hard. Epic Systems, the company that builds and licenses the MyChart software, issued an internal warning to hospital clients. A senior Epic vice president recommended heightened caution around the use of custom analytics scripts. The warning came too late for millions of patients.
Advocate Aurora Health, a 26-hospital system operating across Wisconsin and Illinois, disclosed a data breach in October 2022 affecting up to 3 million patients. The breach notification confirmed that Meta Pixel, Google Analytics, and other tracking tools had been used on its websites, MyChart patient portal, and LiveWell app, disclosing protected health information without authorization. WakeMed Health and Hospitals made a similar disclosure the same month, acknowledging the pixel had likely transmitted data entered in MyChart back to Facebook.
The Novant Health breach, also disclosed in 2022, affected approximately 1.4 million patients. Investigators found that the misconfigured pixel had transmitted sensitive data, including sexual orientation details gathered through intake surveys, to Facebook without consent. Novant had not removed Meta Pixel from its sites and patient portals until May 2022, meaning the exposure lasted roughly two years.
Within weeks of these disclosures, plaintiffs’ attorneys filed class action complaints across the country. Federal investigations followed. By 2023, the MyChart pixel litigation had become one of the most active healthcare data privacy dockets in U.S. history.
MyChart Lawsuit Timeline and Updates
June 2022 — The Markup Publishes Its Findings
The Markup confirms that 33 of the top 100 U.S. hospitals are running Meta Pixel on their websites. Some have deployed the tracker inside patient portals. Epic Systems issues a caution to hospital clients. Several health systems begin removing the tracking code.
August 2022 — Novant Health Data Breach Disclosed
Novant Health notifies approximately 1.4 million patients that Meta Pixel collected and transmitted sensitive health information, including sexual orientation data from intake surveys, without their consent. Novant confirms it had not removed the pixel until May 2022.
October 2022 — Advocate Aurora Health Notifies 3 Million Patients
Advocate Aurora Health files a breach notification with the HHS Office for Civil Rights and alerts up to 3 million individuals that their data may have been shared with Meta, Google, and other third-party vendors via tracking pixels across its websites, MyChart portal, and LiveWell app. WakeMed issues a similar notification the same month.
October–November 2022 — Class Action Filings Begin
Plaintiff attorneys file the first class action complaints in federal court. The complaint against Meta and Advocate Aurora Health is filed October 28 in U.S. District Court in Chicago. It alleges violations of the Electronic Communications Privacy Act, Stored Communications Act, and HIPAA. Multiple hospital systems face individual suits within weeks.
2023 — Cases Consolidate, Settlements Begin
Federal courts begin consolidating related lawsuits. In Re Advocate Aurora Health Pixel Litigation is consolidated in the U.S. District Court for the Eastern District of Wisconsin. Settlement negotiations accelerate. On June 2, 2023, Advocate Aurora reaches a settlement in principle. The court grants preliminary approval on August 21, 2023. The settlement fund is set at $12.225 million, covering approximately 2.5 million class members.
March 8, 2024 — Advocate Aurora Settlement Receives Final Approval
A federal Wisconsin court grants final approval to the $12.225 million Advocate Aurora Health settlement. The class covers individuals whose data was transmitted between October 24, 2017, and October 22, 2022. Payments of up to $50 per claimant are distributed within 45 days.
May–August 2025 — New Settlements Reach Preliminary Approval
BJC HealthCare, a Missouri and Illinois hospital system, receives preliminary approval for a settlement of up to $9.25 million on May 14, 2025. The class covers anyone who used BJC’s MyChart portal between June 2017 and August 2022. Each qualifying claimant is eligible for a $35 payment. Mount Sinai Health System reaches a $5.26 million settlement. The class of approximately 1,314,147 patients used MyChart between October 27, 2020, and October 27, 2023.
September–November 2025 — SSM Health and Mount Sinai Finalize
SSM Health receives preliminary approval September 2 for a settlement covering patients who logged into SSM Health MyChart between July 6, 2020, and February 10, 2023. Each claimant receives a $31.50 cash payment plus one year of CyEx Privacy Shield Pro identity monitoring. Mount Sinai’s settlement receives final approval November 4, 2025. Payments begin distribution to approved claimants on February 3, 2026.
December 2025 — Inova and Catholic Health Receive Preliminary Approval
Inova Health Care Services receives preliminary approval December 17, 2025, for a $3.147 million settlement covering patients with Inova MyChart accounts who visited public Inova websites between April 29, 2022, and April 29, 2024. Catholic Health System receives preliminary approval December 11, 2025, for a settlement covering approximately 300,000 individuals who logged into CHS MyChart between January 1, 2020, and December 11, 2025. CHS has agreed to remove third-party tracking technologies including Google Analytics and Meta Pixel from its patient-facing websites.
March 2026 — Duke Health Settlement Approved
A federal court grants preliminary approval to Duke University Health System’s $3.7 million settlement. The case covers patients who logged into the Duke MyChart portal or MyDuke Health mobile app between February 18, 2019, and June 17, 2022. Over 800,000 individuals are eligible. Claimants must file by August 16, 2026.
Every Settled Case: What Patients Received
| Health System | Settlement Amount | Eligibility Window | Payout Per Claimant | Status |
|---|---|---|---|---|
| Advocate Aurora Health | $12.225M | Oct 2017 – Oct 2022 | Up to $50 | Paid (closed) |
| BJC HealthCare | $5.5M–$9.25M | Jun 2017 – Aug 2022 | $35 | Final approved (closed) |
| Mount Sinai Health System | $5.26M | Oct 2020 – Oct 2023 | ~$30–$85 (pro-rata) | Paid Feb 2026 (closed) |
| SSM Health | Undisclosed | Jul 2020 – Feb 2023 | $31.50 + privacy services | Final approved (closed) |
| Inova Health Care Services | $3.147M | Apr 2022 – Apr 2024 | Pro-rata share | Pending final approval |
| Catholic Health System | Undisclosed | Jan 2020 – Dec 2025 | Pro-rata share | Pending final approval Apr 23, 2026 |
| Duke University Health System | $3.7M | Feb 2019 – Jun 2022 | Pro-rata share | Claim deadline Aug 16, 2026 |
Who Qualifies to File a Claim
Eligibility is tied to your specific hospital system, not to MyChart as a platform. MyChart is software built by Epic Systems. Hundreds of hospital systems license and deploy it. Each lawsuit names the individual hospital, not Epic.
To qualify across most settlements, you generally need to meet three conditions. You had an active MyChart account with the named health system. You logged in or visited the health system’s patient-facing website during the specific date window for that case. You are a U.S. resident.
You do not need to prove your data was specifically misused. The lawsuits are built on the premise that the unauthorized disclosure itself is the harm. Courts in multiple jurisdictions have accepted that framing.
Key eligibility windows by hospital system:
| Hospital System | Eligible Date Window | Claim Deadline |
|---|---|---|
| Duke University Health System | Feb 18, 2019 – Jun 17, 2022 | August 16, 2026 |
| Advocate Aurora Health | Oct 24, 2017 – Oct 22, 2022 | Closed |
| BJC HealthCare | Jun 2017 – Aug 2022 | Closed (Oct 8, 2025) |
| Mount Sinai Health System | Oct 27, 2020 – Oct 27, 2023 | Closed (Oct 14, 2025) |
| SSM Health | Jul 6, 2020 – Feb 10, 2023 | Closed (Nov 25, 2025) |
| Inova Health Care Services | Apr 29, 2022 – Apr 29, 2024 | Closed (Apr 6, 2026) |
| Catholic Health System | Jan 1, 2020 – Dec 11, 2025 | Closed (Apr 10, 2026) |
What Epic Systems’ Role Has Been
Epic Systems builds and licenses MyChart. It does not install tracking pixels on hospital websites. Hospitals do that themselves, often through their own marketing and analytics teams.
That distinction matters legally. Most lawsuits target the individual hospital systems, not Epic. But some plaintiffs have argued Epic bears partial responsibility. The argument is that Epic should have built stronger privacy safeguards into the platform and warned hospitals explicitly about the risks of combining advertising pixels with patient portal pages.
Epic has disputed that framing. The company maintains that its software is HIPAA-compliant when used correctly and that it specifically warned hospital clients against deploying custom analytics scripts in sensitive areas. As early as 2022, Epic’s senior vice president of research issued written guidance recommending heightened caution around such deployments.
Several cases are actively litigating Epic’s liability separately from hospital liability. Federal courts are expected to issue key rulings on this question throughout 2026. The outcome could have significant implications for how software vendors are held responsible for the downstream misuse of their platforms.
The Science Behind the Tracking: How Meta Pixel Works Inside a Patient Portal
Meta Pixel is a small piece of JavaScript code embedded in a website’s code. When a visitor loads the page, the pixel fires. It sends data back to Meta’s servers, including information about what the visitor did on that page.
On a standard retail website, that might mean recording which products a user viewed. On a hospital’s MyChart portal, it recorded something far more sensitive: which pages a logged-in patient visited, what they searched for, which appointment types they accessed, and in some configurations, the content of form fields and messages.
The problem was compounded by a common user behavior. Many patients remained logged into their Facebook accounts while browsing their hospital portal. When the pixel fired, Meta could link the health portal activity to a specific, identified Facebook profile. That is not anonymous data. That is a named individual’s medical activity transmitted to an advertising company without their knowledge.
HIPAA defines protected health information as any data that can identify a patient and relates to their health condition, treatment, or payment. The transmission of “this patient viewed a page about chemotherapy at this hospital on this date” qualifies as PHI under that definition. Hospitals never obtained the patient authorization HIPAA requires before sharing PHI with non-covered entities like advertising companies.
What Regulators Did — and Did Not Do
HIPAA enforcement rests with the HHS Office for Civil Rights. Only the federal government can sue under HIPAA. Individual patients cannot bring HIPAA claims directly. That is why the lawsuits rely instead on the Electronic Communications Privacy Act, the Stored Communications Act, and state privacy statutes — laws that do allow private plaintiffs to sue.
The HHS Office for Civil Rights issued guidance in December 2022 clarifying that the use of online tracking technologies in ways that result in unauthorized PHI disclosures violates HIPAA. That guidance gave plaintiffs’ attorneys a regulatory anchor for their arguments, even though it did not itself trigger enforcement actions against the hospitals.
Several privacy experts have argued publicly that HIPAA is structurally inadequate for modern digital health environments. The law was enacted in 1996, years before patient portals, tracking pixels, or programmatic advertising existed. The MyChart litigation has become one of the most prominent cases used to make that argument — and some legal observers expect it to influence pending federal privacy legislation.
How to Find Out If Your Hospital Has a Settlement
The key fact is this: your eligibility depends entirely on which hospital system you used. The cases reviewed in this article cover only a portion of the hospitals that have been sued. New settlements continue to be announced through 2026. Additional hospital systems that have faced MyChart-related complaints include UC San Diego Health, Dignity Health, Northwestern Memorial Hospital, and several regional health networks.
If you used MyChart through a hospital system not listed here, check whether your hospital has a class action settlement website. Most hospitals that have settled operate a dedicated claims website managed by a court-appointed settlement administrator. The standard URL pattern is the hospital name followed by “settlement.com” — for example, BJCPrivacySettlement.com or HealthPixelSettlement.com for Inova.
If you received a settlement notice by mail or email, it will include a unique ID and PIN. Those credentials are required to file a claim online. The notice is confirmation that the hospital’s records show your account was active during the relevant period. Do not discard it.
If you did not receive a notice but believe you qualify, contact the settlement administrator directly. Many settlements allow claims from individuals who meet eligibility criteria even without a notice, provided they can verify their MyChart account history.
Similar data-sharing lawsuits, like the Crunchyroll lawsuit, have shown how patient and subscriber data shared with third parties without consent can anchor multi-million dollar privacy settlements. The BCBS antitrust case offers another reference point: the BCBS antitrust suit paid out $2.67 billion to six million people, demonstrating the scale that healthcare-sector class actions can reach when hospital systems fail their patient populations. The Cash App spam text settlement illustrates the pro-rata claims process these cases use, and the Progressive class action settlement shows how courts structure payouts when the defendant disputes liability but agrees to settle to avoid trial.
What This Lawsuit Teaches Consumers
The MyChart pixel litigation reveals a gap that regulators failed to close. Hospitals presented themselves as trusted stewards of the most sensitive information Americans generate. They deployed advertising technology inside that trust relationship without telling patients. The law has now required them to answer for it.
The broader lesson is not just about hospital portals. Tracking pixels are embedded across the internet, including on sites where people enter health symptoms, research medications, and seek mental health support. Most users have no idea these tools exist, let alone that they transmit behavioral data to third parties in real time.
The pattern here is familiar: a company uses a third-party tool for business purposes, the tool collects more than the company intended to share, and patients bear the privacy cost. HIPAA was not built to catch this. The MyChart lawsuits succeeded not because of HIPAA but despite it, built instead on older wiretapping and communications privacy statutes.
What changed: courts accepted that the transmission of health-adjacent behavioral data to an advertising company constitutes a legal harm, even without proof of financial injury. That precedent matters. It lowers the barrier for future privacy litigation across every industry that handles sensitive user data.
For patients: log out of social media accounts before accessing health portals. Use a browser with tracking protection enabled. Ask your hospital directly whether it uses third-party analytics tools on its patient-facing websites. The answer may surprise you.
Frequently Asked Questions
What is the MyChart class action lawsuit about?
Multiple hospitals embedded Meta Pixel and Google tracking tools inside the MyChart patient portal, silently transmitting protected health information — including appointment details and medical activity — to advertising companies without patient consent, allegedly violating HIPAA and the Electronic Communications Privacy Act.
Is there currently a MyChart settlement I can file a claim for?
Yes. As of mid-2026, Duke University Health System’s settlement has a claim deadline of August 16, 2026. Most other major settlements — including Mount Sinai, BJC HealthCare, SSM Health, Inova, and Catholic Health — have closed their claim windows.
How much money will I get from a MyChart settlement?
Individual payouts have ranged from approximately $30 to $85 depending on the case. BJC HealthCare offered $35 per claimant. SSM Health paid $31.50 plus privacy monitoring. Mount Sinai paid a pro-rata share of a $5.26 million fund. Duke Health payouts are still to be determined after the claim window closes.
Do I qualify if I did not receive a settlement notice?
Possibly. Settlement notices are sent based on hospital records. If you believe you had an active MyChart account during the relevant date window, contact the settlement administrator for your specific hospital directly. Many settlements allow claims without a notice if you can verify your account history.
Is MyChart itself the defendant, or is it the hospitals?
The hospitals are the defendants in these lawsuits, not MyChart or Epic Systems. Epic builds the MyChart software. Hospitals chose to add tracking pixels to their own websites and portals. Some cases are also litigating Epic’s potential liability separately, but most settlements are with individual health systems.
Can I file claims in more than one MyChart settlement?
Yes. Each case is independent. If you used MyChart through multiple hospital systems during different eligibility windows, you can file separate claims in each applicable settlement, as long as you meet the eligibility requirements for each.
What is Meta Pixel and why was it in a patient portal?
Meta Pixel is a piece of JavaScript code that tracks visitor activity on websites and transmits that data to Meta for advertising purposes. Hospitals added it to improve web analytics and marketing. When placed inside a patient portal, it captured health-related activity alongside the standard behavioral data it collects.
What laws do these lawsuits rely on if patients cannot sue under HIPAA?
Private plaintiffs cannot bring HIPAA claims directly. The MyChart lawsuits rely on the Electronic Communications Privacy Act, the Stored Communications Act, and state-level statutes like California’s Confidentiality of Medical Information Act, all of which allow private individuals to sue for unauthorized data interception.
Will receiving a settlement payment affect my insurance or disability benefits?
Small one-time privacy settlement payments are generally not considered income for insurance eligibility purposes, but this can vary by plan and state. Consult your benefits administrator or a tax professional before relying on any general guidance.
How do I file a claim for the Duke Health MyChart settlement?
The Duke Health claim deadline is August 16, 2026. Eligible patients who used the Duke MyChart portal or MyDuke Health app between February 18, 2019, and June 17, 2022, can file online through the court-approved settlement website or submit a paper claim form by mail. Check the settlement website for the claim portal login and mailing address.
Are settlement payouts from the MyChart lawsuits taxable?
Settlement payments for privacy violations are generally treated as compensation for intangible harm, not lost wages, and are often not taxable under federal law. However, tax treatment can depend on the specific structure of each settlement. Consult a tax professional for guidance specific to your situation.
Can family members file claims if the patient has passed away?
This varies by settlement. Some settlements allow an authorized representative of a deceased class member’s estate to submit a claim on their behalf. Review the specific settlement’s claim instructions or contact the settlement administrator to confirm whether estate claims are accepted.
Leave a Reply