An exterior view of Columbus Regional Hospital in Columbus, Ind., pictured, Tuesday, March 31, 2020. Mike Wolanin | The Republic
INDIANAPOLIS — Columbus Regional Health has agreed to engage in settlement discussions to potentially resolve a proposed class-action lawsuit alleging that it unlawfully shared patients’ personal health information with Meta, the parent company of Facebook, and other tech giants.
The proposed class-action lawsuit, originally filed in May 2023 by two CRH patients, alleges that the hospital system embedded tracking technology on its website that collects and shares information about its patients with Meta, Google, Microsoft, among other companies. CRH has denied the allegations.
“The parties have conferred and agree to mediate this dispute on Nov. 7, 2025, in Indianapolis, Indiana,” according to a joint motion filed on the Indiana Commercial Court docket in Marion Superior Court 1 in Indianapolis. “…The parties are exploring resolution while continuing active litigation. The parties’ intent is to reserve judicial resources by continuing discovery and litigation efforts while simultaneously engaging in settlement discussions.”
The complaint alleges that CRH’s use of the technology violates HIPAA, the federal patient privacy law, and constitutes breach of implied contract and unjust enrichment.
Columbus residents and CRH patients Brian and Annie Elkins are listed as plaintiffs in the lawsuit. Annie Elkins also is identified in the complaint as a former CRH employee. The lawsuit proposes a class made up of any Indiana resident whose private information was disclosed by CRH through the tracking technology
“When plaintiffs and class members used (CRH’s) website and online platforms, they thought they were communicating exclusively with their trusted healthcare provider,” according to the most recent amended complaint. “Unbeknownst to them, (CRH) embedded pixels from Facebook, Google, Microsoft, Adobe, DoubleClick and Marchex into its website and online platforms, surreptitiously forcing plaintiffs and class members to transmit intimate details about their medical treatment to third parties without their consent.”
In March, CRH filed a response, denying, among other things, that it engaged in any unlawful practices or knowingly configured tracking technology on its website that collected and transmitted people’s private information to Facebook, Google or other third parties, according to court records.
“Columbus Regional denies sharing sensitive or confidential communications or private information with third parties and denies willfully and intentionally incorporating any tracking technologies (on its website),” CRH states in its response.
“Assuming for argument’s sake the Elkinses had any damages, they would have been caused by third parties, including but not limited to the technology companies mentioned in the complaint,” CRH further states in its response. “Assuming for argument’s sake that any tracking pixels existed on Columbus Regional’s website, they were placed there by third parties, and any damages the Elkinses allegedly suffered were caused by those third parties.”
The allegations against CRH come as a growing number of hospitals and health systems across the country face lawsuits that allege they disclosed private patient data to tech giants through tracking technology on their website and other online platforms.
The lawsuits largely involve the use of tracking technology called tracking pixels, which are pieces of computer code embedded into a website that can track and record a range of personal data on how a user interacts with the website, including information that users have typed in a form while on the website, according to the Federal Trade Commission’s Office of Technology.
Pixels can be hidden from view, and blocking third-party cookies may not prevent pixels from collecting and sharing information. Businesses commonly use them to track consumer behavior and target them with advertisements based on their online activity.
Many of the lawsuits, including the one filed against CRH, mention the use of the Meta Pixel, a tracking pixel developed by Facebook parent company Meta.
Meta has described the Meta Pixel as “a snippet of JavaScript code that loads a small library of functions” that can track Facebook ad-driven visitor activity on a website and “match website visitors to their respective Facebook user accounts.”
Court filings have alleged that the Meta Pixel can track information about a visitor’s device, including IP address and the pages viewed. It also can be configured to track search terms, button clicks and form submissions.
However, the complaint does not specify how the plaintiffs concluded that CRH uses the tracking pixels, though a preliminary list of exhibits to be introduced at trial filed last year suggests what kind of evidence the plaintiffs claim to have.
The exhibit list includes, among other things, records that allegedly show how many individuals’ private and health data was shared with third parties, health-related Facebook ads that the plaintiffs allegedly received, evidence that allegedly shows CRH’s use of the Metal Pixel and other tracking tools on its website, as well as documents that allegedly show what data was being shared with Facebook, Google or other third parties while using the website.
The plaintiffs are seeking the certification of a statewide class action that includes all CRH patients who are Indiana residents and whose private information was disclosed without authorization by CRH to third parties through the Meta Pixel or similar technology, according to court filings.
CRH, for its part, argues against class certification in its response, claiming, among other things, that it is not possible to determine precisely who would meet the criteria to be in the proposed class.
“A class is not ascertainable,” CRH states in its response. “Columbus Regional does not know the identity behind the IP addresses that ping its website. Nor is there any process to determine which patients have taken steps to safeguard their private information from disclosure, notwithstanding the existence of any tracking technologies. Further, upon information and belief, parties like Meta or Google have internal checks that block the introduction of certain forms of health data — there is no way to figure out whether class members’ data in fact reached these third parties. As a result, there is no way to determine who is in the class or whether class members have standing to pursue a concrete harm.”
The issue of tracking technologies in health care settings came to light in June 2022 after a report by tech publication The Markup found that the Meta Pixel was installed on 33 of Newsweek’s top 100 hospitals in the country, including Johns Hopkins Hospital, UCLA Reagan Medical Center and Duke University Hospital.
The publication said former regulators, health data security experts and privacy advocates reviewed the report’s findings and found the hospitals’ use of the tracking tool may have violated HIPAA.
Since then, lawsuits have been filed against Cedars-Sinai Health System in Los Angeles, Rush University System for Health in Chicago, U of L Health in Louisville, LCMC Health in New Orleans, among several others across the country.
Claims made in filing a lawsuit represent only one side of the case and may be contested in later court action.
