The breach
Advocate Aurora self-reported to OCR in October 2022 that it had been using tracking pixels — including the Meta Pixel — on multiple patient-facing surfaces. The trackers were on the public website, the LiveWell mobile app, and inside the MyChart-integrated patient portal.
Patients who used those surfaces were sending data to Meta, Google, and other ad platforms. The data included page URLs, IP addresses, identifiers tied to individual patients, and in many cases information about appointments, providers, and conditions.
Advocate Aurora’s breach notification said the issue affected up to 3 million patients. The hospital removed the trackers when discovered.
The lawsuit
Six patients filed suit within two weeks of the breach notification. The cases consolidated. The plaintiffs claimed Advocate Aurora violated HIPAA, the federal Wiretap Act, the Electronic Communications Privacy Act, the Illinois Eavesdropping Act, and various Wisconsin statutes. They also alleged common-law claims for invasion of privacy, breach of fiduciary duty, breach of contract, and unjust enrichment.
HIPAA itself doesn't have a private right of action. The plaintiffs used HIPAA as the standard of care for their state-law claims. That structure has since become standard in every pixel case that followed.
The motion to dismiss
Advocate Aurora moved to dismiss in early 2023. The hospital's main arguments: that the plaintiffs hadn't shown actual injury, that the data was anonymized, that the wiretap claims didn't apply to web traffic, and that the plaintiffs had consented to data collection through general privacy notices.
The court rejected most of these. Specifically, it held that:
- The unauthorized disclosure of PHI was itself a concrete injury
- Anonymization arguments were premature at the motion-to-dismiss stage and required evidence
- The federal Wiretap Act applied to internet-based communications
- Generic privacy notices did not constitute consent to the specific disclosures alleged
The case proceeded to discovery.
The settlement
The parties reached a proposed settlement in late 2023. The court granted preliminary approval in February 2024 and final approval on July 10, 2024.
The settlement has two parts.
The monetary fund is $12.25 million, distributed to class members on a per-claim basis after attorney fees and administration costs. Class members who submitted timely claims received per-person payments depending on the total claim count.
The forward-looking commitments are extensive. Advocate Aurora agreed to:
- Remove all third-party tracking technologies that share PHI from patient-facing pages
- Implement written policies on tracking-technology use
- Train staff (especially marketing and IT) on the policies
- Conduct regular audits of websites and apps for unauthorized trackers
- Provide notice to OCR of any future similar incidents
These commitments now appear in nearly every other pixel-case settlement.
Why the case matters
It established three things.
First, that pixel-based PHI disclosures are actionable as HIPAA-grounded state-law claims even though HIPAA itself has no private right of action.
Second, that authenticated patient-portal pages are firmly inside HIPAA scope. This part of the law was unaffected by the later AHA v. Becerra ruling.
Third, that hospitals that self-report breaches to OCR are not insulated from class action liability. In fact, the breach notification provided the document trail that plaintiffs used to build the case.
What other hospitals have done since
The same theory has produced settlements at MarinHealth ($3M), Novant (~$6.6M reported), Skagit Regional, Reid Health, Jefferson Healthcare, NorthBay Healthcare, and others through 2025-2026. The federal MDL against Meta itself (In re Meta Pixel Healthcare Litigation, MDL No. 3084) has identified more than 660 hospital systems with similar fact patterns.