
The Lyon Firm, together with several other national consumer class action firms, initiated and litigated one of the first healthcare pixel tracking cases in the country.
After patients received a letter advising that their data may have been improperly disclosed through the use of the Meta Pixel, a group of patients filed a nationwide class action against Novant Health for the alleged improper disclosure of their personal health information.
Without any admission of liability, and following substantial motion practice addressing issues of first impression, Novant resolved the lawsuit on a nationwide basis through a $6,660,000 non-reversionary common fund covering approximately 1.3 million class members.
Joseph Lyon served on the leadership team and was involved in all aspects of the litigation and settlement, including pre-suit investigation, complaint drafting, motion practice, mediation, and the settlement approval process.
At the center of the case was a tracking tool known as the Facebook Pixel, a piece of code companies often use to understand how people use their websites and to refine advertising by building profiles and retargeting visitors. The lawsuit alleged that Novant placed this tool on its website and patient portal, MyChart, and allowed it to collect and transmit patient data to Facebook without patients' knowledge or consent.
Plaintiffs raised a broader concern that once sensitive health data is shared with companies like Meta, it may be used, sold, monetized, or further distributed in ways patients cannot track or control.
The litigation raised novel legal and factual questions about the use of marketing technology on a healthcare website. Among them was whether the disclosure of inferred or behavioral data, which could allow a company like Facebook to infer sensitive conditions such as cancer or pregnancy from web activity, amounted to a "highly offensive" or improper disclosure where the actual diagnoses or test results were not disclosed.
The case also questioned whether Facebook could identify Novant website users through various identifiers. These issues remained unresolved at the time of settlement. The broader conversation about compliance and liability for healthcare entities using these tools has continued to evolve since.
The lawsuit claimed that the data shared with Facebook may have included:
Plaintiffs alleged this information went beyond ordinary browsing behavior and could connect a specific individual to their past, present, or future care with Novant.
Healthcare data, including digital data gathered through websites, is protected under strict privacy rules, including the federal HIPAA law. Patients expect that their web interactions with hospitals, doctors, and healthcare entities, such as researching conditions, looking up physicians, booking appointments, and using internal portals, remain private.
The litigation combined several legal theories around a central premise: patients' private information should not be disclosed or used for marketing without adequate patient consent.
Novant acknowledged that more than 1.3 million individuals may have had their information shared while the tracking tool was active, from May 2020 to June 2022. The company stated that any disclosure occurred without its knowledge and issued a data breach notification letter to patients in August 2022.
The patients alleged harms including invasion of privacy, misuse of their personal health information, loss of control over their personal data, loss of the benefit of the bargain for their healthcare costs, and an ongoing risk of harm from continued unauthorized use of the information. They sought remedies including statutory and nominal damages, restitution and disgorgement of profits, and injunctive relief requiring business practice changes.
The Consolidated Amended Complaint brought claims for:
Defendants moved to dismiss each claim for failure to state a claim. The Court granted the motion in part, dismissing the majority of the claims, including invasion of privacy, the North Carolina UDTPA claim, unjust enrichment, and the ECPA claim. It denied the motion as to breach of implied contract and breach of fiduciary duty, leaving a limited pathway on available damages and remedies.
The parties then agreed to mediate before a nationally recognized mediator, and both sides reached a classwide settlement after weighing the risks and costs of continued litigation.
After full judicial review, the Court approved the settlement terms and structure, which included certification of the settlement class and monetary compensation to class members through a pro-rata claims submission process.
The case was one of first impression, raising industry-wide questions about the intersection of healthcare, patient privacy, and online tracking tools. Many commercial websites use tracking tools like the Facebook Pixel. In a healthcare setting, the line between routine analytics, marketing, and a privacy violation can blur quickly.
For patients, the case shows how digital tracking tools may operate behind the scenes. Healthcare providers, in turn, are on notice that certain marketing technologies may pose legal and ethical risks when used without appropriate safeguards for patient privacy.
The settlement is not an admission of wrongdoing or an indication that Novant Health violated any law. It represents a resolution of disputed claims. Settlement results depend on the facts and circumstances of each case, and past results are not a guarantee or prediction of the result of any other case.
Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there: