Protecting Patient Privacy In The Age Of Online Tracking Technologies

January 14, 2026

Children's Hospital Medical Center of Akron, commonly known as Akron Children's Hospital, in Ohio, has agreed to resolve a class action containing allegations that its use of Meta Pixel and other web tracking technologies unlawfully disclosed the personal information of hundreds of thousands of website visitors, including minors, to third parties such as Meta and Google without adequate notice or consent.

The settlement provides modest monetary compensation, identity protection services, and injunctive relief designed to curb future tracking practices, while the hospital continues to deny any wrongdoing or liability.

The lawsuit, filed in January, 2024 as Doe v. Children's Hospital Medical Center of Akron in the Summit County, Ohio Court of Common Pleas, was brought by a parent on behalf of himself, his minor children, and similarly-situated individuals whose data was allegedly captured via pixels and similar analytics tools embedded on the hospital's public-facing website and patient-related pages.

Plaintiffs alleged the hospital's configuration of Meta Pixel and other tracking code caused personally identifiable information - relating to visits, interactions with online forms, and potentially sensitive health-related browsing - to be transmitted to Meta, Google, and other third parties without authorization, supporting causes of action such as invasion of privacy, intrusion upon seclusion, negligence, breach of confidence, negligence per se, interception and disclosure of electronic communications, and unjust enrichment.

The settlement class is estimated at approximately 313,700 Ohio residents whose information may have been exposed through the hospital's use of pixels and similar technologies. The agreement is framed as addressing both the alleged past harm and the risk of future misuse of the data, as well as associated economic losses.

The hospital maintains it complied with the law, disputes all factual and legal allegations, and states that it settled purely to avoid the expense, business disruption, and uncertainty of further litigation and a potential jury trial.

Source: https://www.hipaajournal.com/childrens-hospital-medical-center-of-akron-pixel-class-action-settlement/; https://www.classaction.org/news/akron-childrens-hospital-settles-data-sharing-lawsuit-with-cash-payments-identity-and-credit-protection-services

Commentary

The Akron pixel lawsuit is a textbook example of how a seemingly small digital decision can create a large loss event for a healthcare organization, especially when children and families are involved.

At its core, the claim is that the hospital allowed tracking tools like Meta Pixel and similar analytics code on its websites in ways that captured and shared identifiable information about patients and website visitors with third parties such as Meta and Google, without clear consent, authorization, or HIPAA-compliant safeguards.

In practical terms, plaintiffs alleged that when people used the hospital's site to look up services, start appointment scheduling, interact with online forms, or access content that could reveal health concerns, those actions were quietly logged and transmitted to outside vendors. Even where visitors were not fully logged into a portal, data points like page URLs related to specific conditions, IP addresses, device identifiers, or referral links can be treated as protected or highly sensitive health information when tied to an individual, which is why state privacy laws, common law privacy torts, and HIPAA guidance were all invoked in the complaint.

The legal theories against Akron and other providers in similar cases have focused on invasion of privacy, intrusion upon seclusion, negligence, breach of confidence, unjust enrichment, and improper interception or disclosure of electronic communications, all grounded in the idea that patients never agreed to have their health-related web use repurposed for analytics or advertising ecosystems.

HHS OCR's updated tracking guidance reiterates that covered entities and business associates may not send PHI to analytics or ad tech vendors without a business associate agreement or a valid authorization, and that configuration errors that leak identifiers, URLs, or form contents to third parties can amount to impermissible disclosures and trigger breach obligations, enforcement risk, and follow-on civil litigation.

The final takeaway is that healthcare employers can further reduce loss exposure by limiting tracking to what is strictly necessary for site functionality, disabling advanced advertising features where health-related traffic is possible, and avoiding cross-site behavioral profiling tools on any pages connected to care delivery, scheduling, or condition-specific content.

Finally, your opinion is important to us. Please complete the opinion survey:

Product

Articles

Protecting Patient Privacy In The Age Of Online Tracking Technologies

We explore how a hospital's use of tracking pixels led to a privacy class action and outline steps to take to reduce similar legal, financial, and reputational risks.

Guarding The Inbox: How Employers Can Shut Down Spoofing Risks

We examine how email spoofing enables high?value business fraud and outline training topics employers can use to help prevent loss or compromise from spoofing.

Have Return-To-Work Policies Increased Workplace Stress? You Make The Call

A survey in Ireland claims that stress and anxiety are climbing and pinpoints return-to-work policies as the reason. What do you think?

AI vs. AI: The Battle Against Intelligent Malware

This commentary explores how artificial intelligence is being utilized to combat the growing threat of AI-powered malware in the cybersecurity landscape.

Protecting Patient And Staff Privacy From Covert Recording Devices

We examine how healthcare employers can reduce the risk of hidden cameras in private areas through clear policies, targeted controls, staff training, and prompt incident response.