The convergence of technology and healthcare has been nothing short of a revolution, transforming the way people find, access, and manage everything from routine dental checkups to therapy. But as these experiences go digital, individuals are becoming more conscious than ever about the security of their data.
Nearly 75% of people are concerned about protecting their personal health data, according to the American Medical Association, and those concerns are amplified by news headlines about data malpractice.
As a natural response to this consumer sentiment, the healthcare sector finds itself at the epicenter of a growing wave of class action lawsuits—a powerful tool to hold healthcare organizations accountable for sloppy data handling.
Class action lawsuits pose major financial and reputational risks. But staying proactive can help you avoid them. In this article, you’ll learn how class action lawsuits work, explore notable cases, and get practical tips to stay in the clear.
Anatomy of a Class Action Lawsuit
Class action lawsuits allow large groups of individuals to band together, amplifying their voices, and increasing their chances of obtaining redress. They also serve as a deterrent, compelling healthcare organizations to prioritize data security and adhere to privacy laws.
Here’s what you need to know:
Who can file a privacy-related class action lawsuit against a healthcare organization?
Patients: Individuals whose personal information has been compromised due to a data breach, unauthorized access, or mishandling of their records. These patients typically form the core of the class in a class action lawsuit.
Patient advocates and consumer protection groups: Organizations that advocate for patient rights and consumer protection may file lawsuits on behalf of affected individuals, especially when the breach affects a large number of people who may not have the resources to pursue legal action independently.
Legal Representatives: Attorneys specializing in data privacy and class action litigation often initiate these lawsuits on behalf of affected individuals or groups.
What laws are plaintiffs using to file suit?
Plaintiffs can invoke a variety of legal frameworks for class action lawsuits; however, there generally needs to be a private right of action (PRA) under the law being invoked. PRAs give individuals the right to sue to enforce a civil law normally enforced by the government.
Some laws, like HIPAA, don’t provide this right, so individuals must rely on other laws that provide this right.
Here are some common laws that are leveraged for privacy-related class action lawsuits.
Electronic Communications Privacy Act: The ECPA protects against the interception and unauthorized access of electronic communications. This act can be used in lawsuits where healthcare organizations are alleged to have improperly accessed or shared patients' electronic communications without consent.
State Privacy Laws: Many states have enacted their own privacy laws that provide stronger protections and private rights of action than federal laws. Examples include the California Consumer Privacy Act (CCPA) and the Illinois Biometric Information Privacy Act (BIPA).
Wiretap Acts: Both federal and state wiretapping laws, such as the Electronic Communications Privacy Act (ECPA), can be used when healthcare organizations intercept or improperly access electronic communications without consent.
Video Privacy Protection Act: The VPPA has been invoked in cases where healthcare data is shared through digital platforms that may include video content or telehealth services.
What’s the process?
Class action lawsuits typically follow these key stages:
1. Initial Investigation: Class-action lawsuits typically stem from a privacy breach or violation discovered by affected individuals or attorneys who suspect wrongdoing.
2. Filing the Complaint: Attorneys draft the class action complaint outlining the allegations, legal basis, and relief sought. The case is filed in the appropriate federal or state court.
3. Class Certification: After the lawsuit is filed, the court determines whether the case meets the criteria for class action status.
4. Discovery Phase: Both parties exchange relevant information and evidence. This can include documents, emails, and depositions to build their cases.
5. Motions and Hearings: Pre-trial motions, such as motions to dismiss or for summary judgment, are filed. The court may hold hearings to rule on these motions.
6. Settlement Negotiations: Parties may engage in settlement negotiations to resolve the case without going to trial. If a settlement is reached, it must be approved by the court to ensure it is fair to all class members.
7. Trial: If no settlement is reached, the case proceeds to trial. Both sides present their evidence and arguments, and a judge or jury makes a decision.
8. Judgment and Appeals: If the plaintiffs win, the court issues a judgment specifying the damages or remedies. The healthcare organization may appeal the decision, potentially prolonging the case.
9. Distribution of Compensation: If a settlement or judgment includes monetary compensation, the funds are distributed to the class members according to the terms approved by the court.
10. Compliance and Monitoring: The healthcare organization may be required to implement changes to prevent future issues and may be monitored to ensure compliance with the settlement or judgment terms.
Notable Class Action Lawsuits Against Healthcare Organizations
Let’s take a look at four recent class action lawsuits centered around patient privacy.
Mass General Brigham
Mass General Brigham paid an $18.4 million settlement in a class action lawsuit for “the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors.”
Mass General denied that any PHI was shared, and this wasn’t a strict HIPAA-led lawsuit. Instead, the plaintiffs sued based on a general invasion of privacy.
Advocate Aurora Health
Advocate Aurora Health had been using Facebook to retarget consumers based on medical tests they had taken or procedures they had. The PHI of 2.5 million patients had been sent to Facebook.
The lawsuit was settled and Aurora paid out $12.2 million to claimants.
Cedars-Sinai Medicine
A 2023 lawsuit against Cedars-Sinai Medical Center alleged unlawful disclosures of patient data to Google, Meta, and other third parties due to the use of tracking technologies without either a business associate agreement or authorizations from patients.
The plaintiff in this case saw more health-related ads on Facebook after he had used the Cedars-Sinai website, and saw specific ads for the medical condition he disclosed on that site.
Aspen Dental
Hospitals aren’t the only organizations under pressure. Six plaintiffs filed a class action lawsuit against Aspen Dental for installing tracking software on its website and sharing private data with third parties including Facebook, Google, Bing, and Salesforce.
Steps You Can Take to Avoid a Class Action Lawsuit
As you saw in the examples above, class action lawsuits often arise from the mishandling of sensitive data. Here are three steps every healthcare organization should take to avoid the same fate.
Review Your Privacy Policy
Regularly review and update your website’s privacy policy to ensure it complies with the latest laws and regulations. Make sure the policy clearly outlines how patient data is collected, used, stored, and shared.
Evaluate Your Tracking Technologies
Web trackers are common culprits of privacy violations. Accordingly, you’ll need to audit all of the tracking tech that exists on your website to ensure they aren’t sharing sensitive information to any unauthorized third parties.
This will require some collaboration with your product, marketing, IT, and legal teams. For each tool, ask these two questions:
- What data is that web tracker sharing?
- Is that data sharing permissible?
Want a full assessment of your website’s privacy risks? Get a free web tracker report.
Obtain Consent from Users
The class action lawsuit against Mass General Brigham stemmed from the fact that they didn’t get user permission before using cookies, pixels, and analytics tools. A simple way to avoid this issue is obtaining consent via a clear and comprehensive banner, which users can opt into or out of.
Govern The Data Shared From Your Website to Third Party Tools
A surefire way to avoid a privacy-related lawsuit is to stop sharing sensitive data in the first place.
Many native web trackers will gladly take all the sensitive information from your website about your visitors and patients to enrich its platforms—but they don't need all that data to perform for you.
Tools like Freshpaint's Healthcare Privacy Platform help you securely capture visitor data, then let you choose what’s okay (or not okay) to share with downstream tools.
What Happens If You Ignore the Risks?
Class action lawsuits are costly in terms of time, money, and reputation. Let’s break down the risks.
Financial Loss
Healthcare organizations have paid tens of millions of dollars to settle class action lawsuits. But fines aren’t the only financial burden to be aware of. Class action lawsuits can drag on for months, and paying lawyers to defend you is a fast way to burn through cash.
Negative Press
Consumer privacy is a hot topic, especially when it comes to people’s health information. Accordingly, healthcare organizations can end up in the headlines for all the wrong reasons if they get sloppy with their data-handling practices.
Loss of Consumer Trust
Consumer sentiment is clear: People don’t want to be tracked by ad tech companies, especially when their health information is part of the equation. When healthcare organizations get caught red-handed, the damage to consumer trust can be irreversible.
Will the Recent AHA Lawsuit Ruling Stop Class Action Lawsuits?
In June 2024, a federal judge ruled in favor of the AHA, vacating a narrow portion of HHS guidance on web tracking technologies. However, the ruling did nothing to shield healthcare companies from class action lawsuits—and the negative press that accompanies them. In fact, class action lawsuits rely on laws with a private right of action—not HIPAA.
Doriann Cain, a lawyer who specializes in privacy, doesn’t see any change to the risk of class action lawsuits when it comes to the recent IP address change with HIPAA.
“There’s no private right of action under HIPAA,” she explains. Instead, healthcare organizations need to understand their risk under statutes such as VPPA and state-level privacy laws.
The looming threat of lawsuits might seem scary. But as long as you take a privacy-first approach to marketing, you can steer clear of the hefty fines and PR debacles. Need help making that happen? Talk to an expert at Freshpaint about auditing your website for privacy risks.