Data Privacy,
Data Security,
Healthcare
Lawsuit Alleges BJC Health Disclosed Patient Data from MyChart Portal Without Consent
BJC Health, a Missouri-based healthcare system, has agreed to pay up to $9.25 million to resolve a proposed class action lawsuit. The lawsuit claims that the healthcare provider’s use of online tracking tools within its MyChart patient portal resulted in the unauthorized sharing of sensitive patient data with third-party companies, without patient consent.
The settlement class encompasses all individuals who accessed BJC Health System’s MyChart portal from June 2017 to August 2022. Operating 14 hospitals and numerous medical facilities across Missouri, BJC Health allegedly failed to secure patient data against external tracking entities.
Initially filed in Missouri state court in 2022, the lawsuit transitioned to federal jurisdiction before ultimately returning to state court with an amended petition in 2023. Plaintiffs maintained that BJC Health’s websites, www.bjc.org and www.barnesjewish.org, facilitated unauthorized communication of personally identifiable information to firms like Facebook, Google, SiteScout, Invoca, and the Trade Desk, without proper disclosure to patients.
While BJC Health denies any wrongdoing, the settlement reflects an acknowledgment of the risks associated with online tracker implementations that may compromise personal health information. According to the settlement agreement, BJC Health will allocate a fund of $5.5 million to cover administrative costs, attorney fees, lead plaintiffs’ service awards, and valid claims. If necessary, up to an additional $3.75 million may be allocated based on claims made.
A Missouri judge has approved the proposed settlement terms, which allow affected patients to submit claims for a cash payment of $35 by October 8. A final hearing regarding the settlement is scheduled for October 16, during which the court will assess the adequacy of the settlement’s distribution mechanisms.
As part of the proceedings, the lead plaintiffs will each receive service awards of $15,000, while attorneys representing class members are capped at fees, expenses, and costs totaling no more than $3 million. The total number of patients whose data may have been exposed is not explicitly detailed in the court records.
This case is situated within a larger context of similar legal disputes involving HIPAA-regulated entities and consumer health applications. Lawsuits are increasingly alleging misuse of online trackers for extracting sensitive data, often without patient or consumer knowledge. The recent case against fertility-tracking app Flo Health illustrates this trend, as allegations surfaced that the app shared private user data with third-party companies, including Google and Meta, without appropriate consent or notification.
Experts highlight that incidents like the BJC Health case emphasize the importance of robust privacy practices and compliance audits within healthcare organizations. Ensuring user awareness through transparent data practices is paramount. Furthermore, ongoing monitoring and adherence to security measures are critical in safeguarding personal health information against unauthorized access, potential privilege escalation, and data exfiltration tactics in line with the MITRE ATT&CK framework.
