What happened
Plaintiffs filed the lawsuit after Advocate Aurora self-reported a breach to the HHS Office for Civil Rights in October 2022. The breach notification said the hospital had been using tracking pixels — including the Meta Pixel — on its websites and patient-facing applications, including pages where patients could search for doctors, schedule appointments, and use the LiveWell mobile app that integrates with MyChart.
When patients used those features, their browsers were sending data to Facebook, Google, and other ad platforms. The data included page URLs (which often contained condition names), IP addresses, identifiers tied to the patient, and in some cases, information about appointments or specific providers.
Advocate Aurora removed the trackers when it found them. By then, the data had already been sent.
The legal theory
The class action claimed Advocate Aurora violated:
- HIPAA, by disclosing PHI to third parties without authorization or a BAA
- The Wiretap Act (18 U.S.C. §2511) and the Stored Communications Act
- State wiretap laws in Illinois (720 ILCS 5/14-2) and Wisconsin
- Common-law claims for invasion of privacy, breach of fiduciary duty, and unjust enrichment
HIPAA itself does not have a private right of action, meaning patients can't sue directly under it. Plaintiffs' lawyers get around that by using HIPAA as the standard of care for their state-law claims. That structure is now standard in pixel cases.
What the settlement does
The $12.25M fund covers two things: payments to class members (capped per-person, then divided based on claim count), and changes to how Advocate Aurora handles tracking technology going forward.
The forward-looking commitments matter as much as the money. Advocate Aurora agreed to:
- Remove all third-party tracking technologies that share PHI from patient-facing pages
- Implement a written policy for evaluating new tracking technologies
- Train staff on the policy
- Do regular audits of its websites and apps for unauthorized trackers
Hospitals reading the settlement should treat those commitments as the de facto remediation standard for any pixel finding.
Why the case matters
It's the largest publicly-known pixel settlement in U.S. healthcare. It established that:
- Patient-portal pages count as authenticated and are firmly inside HIPAA scope (this part survived the AHA v. Becerra carve-out)
- Tracking-tech disclosures support state wiretap claims, which carry their own statutory damages
- Self-reporting a breach to OCR doesn't prevent a class action — in fact, the breach notification gave plaintiffs the document trail they needed
Other hospitals settling on the same theory
Advocate Aurora is the largest case but not the only one. Settlements and active class actions on the same theory:
- MarinHealth Medical Center — $3M class settlement, 2025
- Novant Health — ~$6.6M reported settlement, 1.36M patients
- Skagit Regional Health — class settlement, 2025
- Reid Health (Indiana) — class settlement, 2025
- Jefferson Healthcare (Washington) — class settlement with privacy-tool subscriptions, 2025
- NorthBay Healthcare — class settlement, 2025
- In re Meta Pixel Healthcare Litigation — federal MDL with 664+ hospital systems identified
What hospitals should learn from it
If your website or patient portal has tracking pixels, you have the same exposure Advocate Aurora had. Self-reporting won't save you. Removing the pixel after the fact won't save you. The only thing that prevents the settlement is not having the pixel deployed against clinical pages in the first place.
The simplest test: does your marketing team have access to publish to your patient portal? If yes, you have a governance gap. Fix that, then audit what’s actually live.