Back to Cases
technologyHealthcare · 2024
Advocate Aurora Health
Advocate Aurora Health agreed to pay $12.9 million to HHS OCR — the largest HIPAA settlement of 2024 — for unauthorised disclosure of the protected health information of approximately 3 million patients through tracking pixels (Meta Pixel and Google Analytics) embedded on its patient-facing websites and patient portal. The tracking technologies transmitted patient identities, appointment details, IP addresses, and proxy health information to Meta and Google without patient authorisation, constituting impermissible disclosures of PHI to advertising platforms that were not business associates under HIPAA.
Fine Imposed€11.9M
Authority
HHS-OCR-US
Regulation
Key Takeaways
- Embedding advertising tracking pixels on healthcare patient portals that transmit any combination of patient identity and health-related information to third-party advertising platforms is a HIPAA violation — healthcare organisations must audit every third-party tag on patient-facing web properties.