Data Privacy,
Data Security,
Fraud Management & Cybercrime
Mount Sinai Health System Settles Class Action Over Patient Data Misuse
A class action lawsuit in New York City has culminated in a $5.3 million settlement by Mount Sinai Health System, following allegations that the organization used online tracking tools on its patient portal and website, effectively transmitting patient information to Facebook without consent for several years.
Related Insights: Exploring Identity Strategies for Healthcare Compliance
The lawsuit, filed in a federal court, accused Mount Sinai of violating both federal and New York state laws. Allegations included breaches of the Electronic Communications Privacy Act by intercepting and disclosing information, as well as negligence, invasion of privacy, and breach of implied contract.
The settlement encompasses over 1.3 million MyChart portal users who accessed their accounts between October 27, 2020, and October 27, 2023, as indicated in court filings. Plaintiffs contended that their health data was systematically collected and shared with Meta through the deployment of Facebook’s Pixel and Conversions API on Mount Sinai’s digital platforms.
Mount Sinai has denied these allegations, including claims regarding the sharing of patient information with Facebook. Under the preliminary settlement agreement, eligible claimants will receive a distribution of the remaining funds after deducting attorney fees and related costs.
The court’s preliminary approval has set attorney fees at a maximum of 35% of the total settlement fund, translating to approximately $1.8 million. Additionally, three lead plaintiffs are slated to receive $2,500 service awards.
A final approval hearing is scheduled for October 24, 2025. Mount Sinai has not yet responded to inquiries from Information Security Media Group regarding the settlement.
Implications in Web Tracking Practices
This settlement is part of a broader trend of recent lawsuits targeting healthcare institutions for their use of online tracking technologies, an issue that remains contentious. Regulatory attorney Paul Hales emphasized that this approach of rapid settlements, although financially conservative concerning the number of affected patients, signals ongoing concerns about the integration of tracking in sensitive healthcare environments.
In related developments, BJC Health System recently agreed to a $9.25 million settlement over similar allegations regarding the unauthorized sharing of patient data through tracking tools in patient portals. Additional instances have seen companies like Flo Health settle class action lawsuits for sharing user data without consent.
Experts caution that many healthcare entities may inadvertently violate patient privacy due to unwarranted use of tracking tools such as Google Analytics and Meta Pixels. Initial actions should include a thorough assessment of all tracking technologies in use to safeguard patient privacy and minimize unauthorized information disclosures.
To mitigate future risks, experts recommend that healthcare organizations regularly audit their technology infrastructures, enforce comprehensive policies regarding the usage of tracking technologies, and ensure all third-party vendors are bound by appropriate agreements. Failing to address these aspects could expose organizations to significant legal and regulatory repercussions.
Mount Sinai’s experience serves as a critical reminder for healthcare organizations regarding the need for vigilant data privacy practices, particularly in the realms of patient portals and other digital services. This incident underscores the importance of obtaining informed consent and maintaining strict compliance with regulatory frameworks, thereby protecting both patient data and organizational integrity.
