$7,000,000: Healthcare Pixel Tracking Class Action Settlement, Christ Hospital

Written by 
Published on:
June 17, 2026
Updated on:
June 17, 2026

The Lyon Firm, together with several nationally recognized consumer class action firms, initiated and litigated one of the first healthcare pixel tracking cases in Ohio, In re The Christ Hospital Pixel Litigation (Court of Common Pleas, Hamilton County, Ohio, Case No. A2204749).

Joseph Lyon was appointed co-lead counsel by Judge Christian A. Jenkins and was involved in all aspects of the litigation and settlement, including pre-suit investigation, complaint drafting, motion practice, discovery, mediation, and the settlement approval process.

Without any admission of liability, and after substantial motion practice and discovery addressing issues of first impression, Christ Hospital agreed to resolve the lawsuit on a nationwide basis with broad relief for the class. The settlement provided:

  1. A $7,000,000 cash settlement fund for class members;
  2. A one-year subscription to Cyex Privacy Shield Pro, with an offered retail value to the class exceeding $89,000,000; and
  3. Business practice changes to guard against the future disclosure of digital health data.

At the center of the case were tracking tools used on the hospital's public website, patient portal, and mobile app, specifically the Meta Pixel and Google Analytics. These are pieces of code that companies often use to understand how people use their websites and to refine advertising by building profiles and retargeting visitors. 

The lawsuit alleged that Christ Hospital placed these tools on its website and patient portal, MyChart, and allowed them to collect and transmit patient data to Facebook and Google for marketing purposes without patients' knowledge or consent. Plaintiffs and class counsel raised a broader concern that once sensitive health data is shared with companies like Meta and Google, it may be used, sold, monetized, or further distributed in ways patients cannot track or control.

The litigation raised novel legal and factual questions about the use of marketing technology on a healthcare website. Among them was whether the disclosure of inferred or behavioral data, which could allow companies like Facebook and Google to infer sensitive conditions such as cancer or pregnancy from web activity, amounted to a "highly offensive" or improper disclosure where the actual diagnoses or test results were not disclosed. 

The case also raised technical questions about whether this modern data technology falls within the intent and purpose of Ohio's wiretapping statutes, and whether Facebook could identify users on the hospital's website through various identifiers. These issues remained largely unresolved at the time of settlement. The broader conversation about compliance and liability for healthcare entities using these tools has continued to evolve in Ohio and in courts across the country.

The lawsuit claimed that the data shared with Facebook and Google may have included:

  • Status as a patient of Christ Hospital
  • Phrases and search queries, such as conditions, treatments, and types of providers
  • IP addresses
  • Device IDs, user IDs, and account identifiers
  • Appointment details
  • Names of doctors selected
  • Buttons clicked or pages viewed
  • Online form submission data

Plaintiffs alleged this information went beyond ordinary browsing behavior and could connect a specific individual to sensitive health information about their past, present, or future care with Christ Hospital.

Healthcare data, including digital data gathered through websites, is protected under strict privacy rules, including the federal HIPAA law. Federal regulators, including HHS and the FTC, have warned healthcare entities about the use of tracking technologies and the risk of improperly disclosing patient health information. 

Patients expect that their web interactions with hospitals and physicians, such as researching conditions, looking up providers, booking appointments, and using internal portals, remain private. The litigation combined several legal theories around a central premise: patients' private information should not be disclosed or used for marketing without adequate patient consent.

The settlement class was defined as individuals who were patients of Christ Hospital or its affiliates and who, between December 30, 2018 and January 13, 2023, used the patient portal, the mobile app, the online health risk assessment form, the appointment request, or the nurse navigator form. It included over 320,000 class members.

Plaintiffs alleged harms including invasion of privacy, misuse of their personal health information, loss of the benefit of the bargain, loss of control over their personal data, and an ongoing risk of harm from continued unauthorized use of the information. They sought remedies including statutory and nominal damages, restitution and disgorgement of profits, and injunctive relief requiring business practice changes.

The Consolidated Amended Complaint brought claims for:

  • Invasion of privacy
  • Breach of implied contract
  • Breach of confidence (under Biddle v. Warren General Hospital)
  • Violation of the Ohio Consumer Sales Practices Act
  • Unjust enrichment
  • Negligence
  • Breach of fiduciary duty
  • Violation of Ohio's wiretapping law

Christ Hospital moved to dismiss each claim other than breach of confidence, arguing that the Biddle claim subsumed the remaining claims, and also raising failure-to-state-a-claim and standing arguments. 

The Court agreed in part, dismissing the negligence and breach of fiduciary duty claims as subsumed. It otherwise rejected the argument, finding that a breach of confidence claim does not subsume all common law and statutory claims, citing its own decision in Doe v. Bon Secours Mercy Health. The Court denied the remainder of the motion, allowing claims for invasion of privacy, breach of implied contract, unjust enrichment, the Ohio Consumer Sales Practices Act, and the Ohio Wiretap Act to proceed. 

After extensive discovery, including substantial document production and depositions, and with class certification briefing approaching, the parties mediated before a well-known Cincinnati mediator and reached a classwide settlement, with both sides weighing the risks and costs of continued litigation.

After review, and after class members had the chance to opt out or object, the Court granted final approval of the settlement, which included:

  • Certification of the settlement class
  • A $4,500,000 non-reversionary fund and a $2,500,000 reversionary fund
  • A monetary claims process providing $37.50 per claim
  • A one-year subscription to Cyex Privacy Shield Pro for all class members, with features including a data broker opt-out, VPN, digital vault, password manager, and dark web watchlist, carrying an offered value of approximately $89,000,000 (about $299.88 per class member per year)
  • Business practice changes, including removing the tracking technology from the sensitive parts of the website (portal pages, health risk assessment pages, appointment booking, and any other form submissions), the use of only HIPAA-compliant third-party vendors subject to Business Associate Agreements, and an extension of the preliminary injunction on the use of the Pixel for two additional years
  • Attorneys' fees and costs, service awards of $7,500, and settlement notice and administration

The total gross settlement value was calculated at $96,893,540 for the benefit of over 320,000 class members. At the time of final approval, a 5.6% claim rate yielded a total redeemed monetary value of $9,926,038.

The case was one of several healthcare pixel matters raising questions of first impression about the intersection of healthcare, patient privacy, and online tracking tools. Many commercial websites use tools like the Facebook Pixel and Google Analytics. 

In a healthcare setting, the line between routine analytics, marketing, and a privacy violation can blur quickly. For patients, the case shows how digital tracking tools may operate behind the scenes. Healthcare providers, in turn, are on notice that certain marketing technologies may pose legal and ethical risks when used without appropriate safeguards for patient privacy.

The settlement is not an admission of wrongdoing or an indication that Christ Hospital violated any law. It represents a resolution of disputed claims. Settlement results depend on the facts and circumstances of each case, and past results are not a guarantee or prediction of the result of any other case.

Contact Us

Request a Free Consultation

Taking the first step doesn’t have to be complicated. In just a few minutes, you can share the basics of your case, and our team will guide you from there:

  • It begins with a few simple questions about your situation.
  • From there, a member of our legal team reviews your case.
  • Together, we’ll chart the path forward, helping you take the next step toward resolution.
Thank you! Your submission has been received!
Oops! Something went wrong while submitting the form.