An exterior view of Columbus Regional Hospital in Columbus, Ind., pictured, Tuesday, March 31, 2020. Mike Wolanin | The Republic
INDIANAPOLIS — A Marion County judge has set hearing dates in a proposed class-action lawsuit against Columbus Regional Health over alleged data privacy violations.
On Friday, Marion County Superior Court Judge Christina R. Klineman scheduled a hearing on May 8 to consider a motion to dismiss the lawsuit filed by CRH, according to court filings.
Klineman also set a March 26, 2025, deadline for the plaintiffs to file a motion for class certification and a pretrial conference on May 20, 2025.
The lawsuit, filed on the Indiana Commercial Court docket in Marion Superior Court 1 in Indianapolis, claims that CRH embedded tracking technology on its website that collects and shares information about its patients with Meta, Google, Microsoft, Adobe Inc., DoubleClick, Marchex and “potentially others,” according to an amended complaint filed in January.
This allegedly includes the content that users searched for on CRH’s website, the buttons they clicked on, the forms they submitted, the events they registered for, when they accessed the patient portal and paid bills, the terms they searched for and the doctors they sought, the lawsuit states.
The complaint further alleges that CRH’s use of the technology violates HIPAA, the federal patient privacy law, as well as Federal Trade Commission standards and the Indiana Deceptive Consumer Sales Act.
Columbus residents and CRH patients Brian and Annie Elkins are listed as plaintiffs in the lawsuit. Annie Elkins was identified in the original complaint as a former CRH employee. The lawsuit proposes a class made up of any Indiana resident whose private information was disclosed by CRH through the tracking technology without authorization.
“When plaintiffs and class members used defendant’s website and online platforms, they thought they were communicating exclusively with their trusted healthcare provider,” the amended complaint states. “Unbeknownst to them, defendant embedded pixels from Facebook, Google, Microsoft, Adobe, DoubleClick and Marchex on its website and online platforms, surreptitiously forcing plaintiff and class members to transmit intimate details about their medical treatment to third parties without their consent.”
Since being filed in May, the lawsuit has bounced between the state and federal court systems. CRH has sought to move the lawsuit to federal court, arguing, among other things, that the complaint involves alleged violations of federal privacy standards, court records show.
Attorneys representing CRH said in a court filing they planned to argue in federal court that the hospital system did not violate federal privacy standards, and the “specific information that is purportedly ‘disclosed’ are outside of the purview of protected health information.”
However, a federal judge sent the lawsuit back to Marion Superior Court on Oct. 10, finding, among other things, that using alleged violations of federal standards as evidence for civil liability under state law does not, by default, confer jurisdiction to a federal court.
In November, CRH appealed the order to remand the case to state court. The hospital system also filed a motion to, among other things, pause the order sending the case to state court until the federal appeals court weighs in.
In February, a federal judge denied CRH’s motion, determining, among other things, that the hospital system “is unlikely to face prejudice in state court” and that “delay here only benefits” CRH.
The appeal was still pending before the U.S. Court of Appeals for the Seventh Circuit as of Friday morning.
“There is no harm to either party for the litigation to carry on in state court while the remand order is reviewed on appeal. The same things would be happening in either place; it does not matter where,” U.S. District Judge James R. Sweeney II states in an order dated Feb. 21.
Last month, CRH filed a separate motion in state court seeking to dismiss the lawsuit on procedural grounds, arguing that the plaintiffs did not comply with state laws on bringing tort claims against a local governmental entity.
More specifically, CRH argues that the plaintiffs did not file a notice of a tort claim or give the hospital system 90 days as required by law to investigate the claim before they filed the lawsuit. A tort is an act or omission that results in injury or damage that may entitle an affected party to seek damages, often in the form of monetary compensation, according to the Cornell Law School’s Legal Information Institute.
The plaintiffs “did not wait 90 days to initiate a suit — they sued immediately, then amended their complaint 90 days later to formally list their tort theories,” the motion states. No decision had been made on the motion as of Tuesday morning.
CRH officials have declined to comment on the lawsuit, citing the pending litigation.
“In order to protect the integrity of a pending case, Columbus Regional Health refrains from comment on active litigation matters,” CRH spokeswoman Kelsey DeClue said previously in a statement to The Republic. “However, our organization intends to vigorously defend against these claims.”
The allegations against CRH come as a growing number of hospitals and health systems across the country face lawsuits that allege they disclosed private patient data to tech giants through tracking technology on their website and other online platforms.
The lawsuits largely involve the use of tracking technology called tracking pixels, which are pieces of computer code embedded into a website that can track and record a range of personal data on how a user interacts with the website, including information that users have typed in a form while on the website, according to the Federal Trade Commission’s Office of Technology.
Pixels can be hidden from view, and blocking third-party cookies may not prevent pixels from collecting and sharing information. Businesses commonly use them to track consumer behavior and target them with advertisements based on their online activity.
Many of the lawsuits, including the one filed against CRH, mention the use of the Meta Pixel, a tracking pixel developed by Facebook parent company Meta.
Meta has described the Meta Pixel as “a snippet of JavaScript code that loads a small library of functions” that can track Facebook ad-driven visitor activity on a website and “match website visitors to their respective Facebook user accounts.”
Court filings have alleged that the Meta Pixel can track information about a visitor’s device, including IP address and the pages viewed. It also can be configured to track search terms, button clicks and form submissions.
However, it is unclear how CRH had configured those tools or if it even used them at all. The original complaint and amended complaint do not specify how the plaintiffs concluded that CRH uses the tracking pixels, though the amended complaint provides alleged examples of the tools being used.
The issue of tracking technologies in health care settings came to light in June 2022 after a report by tech publication The Markup found that the Meta Pixel was installed on 33 of Newsweek’s top 100 hospitals in the country, including Johns Hopkins Hospital, UCLA Reagan Medical Center and Duke University Hospital.
The publication said former regulators, health data security experts and privacy advocates reviewed the report’s findings and found the hospitals’ use of the tracking tool may have violated HIPAA.
Since then, lawsuits have been filed against Cedars-Sinai Health System in Los Angeles, Rush University System for Health in Chicago, U of L Health in Louisville, LCMC Health in New Orleans, among several others across the country.
By April 2023, at least 18 hospitals and health systems were facing similar lawsuits, according to Becker’s Health IT.
