Republic file photo An exterior view of Columbus Regional Hospital’s sign directing patients to the emergency entrance.
A Marion County judge has scheduled a status conference in a proposed class-action lawsuit filed against Columbus Regional Health over alleged data privacy violations, while the hospital system challenges the lawsuit in state court and a federal appeals court considers whether the case should be litigated in federal court.
Last week, Marion County Superior Court Judge Christina R. Klineman scheduled a status conference on April 5 in Marion Superior Court 1 in Indianapolis following a request by attorneys for the plaintiffs “to address the orderly progression of this matter,” according to court filings.
The lawsuit, filed on the Indiana Commercial Court docket in Marion Superior Court 1 in Indianapolis, claims that CRH embedded tracking technology on its website that collects and shares information about its patients with Meta, Google, Microsoft, Adobe Inc., DoubleClick, Marchex and “potentially others,” according to an amended complaint filed in January.
This allegedly includes the content that users searched for on CRH’s website, the buttons they clicked on, the forms they submitted, the events they registered for, when they accessed the patient portal and paid bills, the terms they searched for and the doctors they sought, the lawsuit states.
The complaint further alleges that CRH’s use of the technology violates HIPAA, the federal patient privacy law, as well as Federal Trade Commission standards and the Indiana Deceptive Consumer Sales Act.
Columbus residents and CRH patients Brian and Annie Elkins are listed as plaintiffs in the lawsuit. Annie Elkins was identified in the original complaint as a former CRH employee. The lawsuit proposes a class made up of any Indiana resident whose private information was disclosed by CRH through the tracking technology without authorization.
“When plaintiffs and class members used defendant’s website and online platforms, they thought they were communicating exclusively with their trusted healthcare provider,” the amended complaint states. “Unbeknownst to them, defendant embedded pixels from Facebook, Google, Microsoft, Adobe, DoubleClick and Marchex on its website and online platforms, surreptitiously forcing plaintiff and class members to transmit intimate details about their medical treatment to third parties without their consent.”
Since being filed in May, the lawsuit has bounced between the state and federal court systems. CRH has sought to move the lawsuit to federal court, arguing, among other things, that the complaint involves alleged violations of federal privacy standards, court records show.
Attorneys representing CRH said in a court filing they planned to argue in federal court that the hospital system did not violate federal privacy standards, and the “specific information that is purportedly ‘disclosed’ are outside of the purview of protected health information.”
However, a federal judge sent the lawsuit back to Marion Superior Court on Oct. 10, finding, among other things, that using alleged violations of federal standards as evidence for civil liability under state law does not, by default, confer jurisdiction to a federal court.
In November, CRH appealed the order to remand the case to state court. The hospital system also filed a motion to, among other things, pause the order sending the case to state court until the federal appeals court weighs in.
In February, a federal judge denied CRH’s motion, determining, among other things, that the hospital system “is unlikely to face prejudice in state court” and that “delay here only benefits” CRH.
The appeal was still pending before the U.S. Court of Appeals for the Seventh Circuit as of Tuesday morning.
“There is no harm to either party for the litigation to carry on in state court while the remand order is reviewed on appeal. The same things would be happening in either place; it does not matter where,” U.S. District Judge James R. Sweeney II states in an order dated Feb. 21.
Earlier this month, CRH filed a separate motion in state court seeking to dismiss the lawsuit on procedural grounds, arguing that the plaintiffs did not comply with state laws on bringing tort claims against a local governmental entity.
More specifically, CRH argues that the plaintiffs did not file a notice of a tort claim or give the hospital system 90 days as required by law to investigate the claim before they filed the lawsuit. A tort is an act or omission that results in injury or damage that may entitle an affected party to seek damages, often in the form of monetary compensation, according to the Cornell Law School’s Legal Information Institute.
The plaintiffs “did not wait 90 days to initiate a suit — they sued immediately, then amended their complaint 90 days later to formally list their tort theories,” the motion states. No decision had been made on the motion as of Tuesday morning.
CRH officials have declined to comment on the lawsuit, citing the pending litigation.
“In order to protect the integrity of a pending case, Columbus Regional Health refrains from comment on active litigation matters,” CRH spokeswoman Kelsey DeClue said previously in a statement to The Republic. “However, our organization intends to vigorously defend against these claims.”
The allegations against CRH come as a growing number of hospitals and health systems across the country face lawsuits that allege they disclosed private patient data to tech giants through tracking technology on their website and other online platforms.
The lawsuits largely involve the use of tracking technology called tracking pixels, which are pieces of computer code embedded into a website that can track and record a range of personal data on how a user interacts with the website, including information that users have typed in a form while on the website, according to the Federal Trade Commission’s Office of Technology.
Pixels can be hidden from view, and blocking third-party cookies may not prevent pixels from collecting and sharing information. Businesses commonly use them to track consumer behavior and target them with advertisements based on their online activity.
Many of the lawsuits, including the one filed against CRH, mention the use of the Meta Pixel, a tracking pixel developed by Facebook parent company Meta.
Meta has described the Meta Pixel as “a snippet of JavaScript code that loads a small library of functions” that can track Facebook ad-driven visitor activity on a website and “match website visitors to their respective Facebook user accounts.”
Court filings have alleged that the Meta Pixel can track information about a visitor’s device, including IP address and the pages viewed. It also can be configured to track search terms, button clicks and form submissions.
However, it is unclear how CRH had configured those tools or if it even used them at all. The original complaint and amended complaint do not specify how the plaintiffs concluded that CRH uses the tracking pixels, though the amended complaint provides alleged examples of the tools being used.
“Defendant revealed to Facebook the content that patients viewed and the buttons they clicked. For example, when a user clicked on ‘Cancer Center’ under the ‘Service Centers’ tab on the website, defendant reported to Facebook the title, page description and URL viewed by the user, thereby reporting that the individual was seeking cancer care,” the amended complaint states. “…Likewise, when a user loaded defendant’s ‘Diabetes Care’ page, CRH reported to Facebook that user was viewing a page about diabetes. If the user then submitted a ‘DIABETES REFERRAL FORM,’ CRH also shared that event with Facebook. And if the user clicked a button labelled ‘READ MORE ABOUT OUR WOUND CARE CENTER,’ this also was reported to Facebook.”
The issue of tracking technologies in health care settings came to light in June 2022 after a report by tech publication The Markup found that the Meta Pixel was installed on 33 of Newsweek’s top 100 hospitals in the country, including Johns Hopkins Hospital, UCLA Reagan Medical Center and Duke University Hospital.
The publication said former regulators, health data security experts and privacy advocates reviewed the report’s findings and found the hospitals’ use of the tracking tool may have violated HIPAA.
In December 2022, the U.S. Department of Health and Human Services warned that website trackers could violate HIPAA and that “regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures.”
“Such disclosures can reveal incredibly sensitive information about an individual, including diagnoses, frequency of visits to a therapist or other health care professionals and where an individual seeks medical treatment,” HHS said in December.
In June 2022, anonymous plaintiffs filed a proposed class-action lawsuit against Meta in federal court, alleging that the tech giant violated the medical privacy of patients through its Meta Pixel tool. That lawsuit is currently pending in federal court.
When the lawsuit was filed, attorneys for the plaintiffs alleged that they had identified through experts at least 664 hospital systems or medical provider web properties in the United States where Facebook had received patient data via the Metal Pixel.
Since then, lawsuits have been filed against Cedars-Sinai Health System in Los Angeles, Rush University System for Health in Chicago, U of L Health in Louisville, LCMC Health in New Orleans, among several others across the country.
By April 2023, at least 18 hospitals and health systems were facing similar lawsuits, according to Becker’s Health IT.
