An exterior view of Columbus Regional Hospital in Columbus, Ind., pictured, Tuesday, March 31, 2020. Mike Wolanin | The Republic
CHICAGO — Oral arguments are set for next month in an appeal filed by Columbus Regional Health in a proposed class-action lawsuit over alleged data privacy violations.
A three-judge panel from the 7th U.S. Court of Appeals in Chicago will hear arguments May 28. Each side will have 15 minutes to speak.
The panel will also hear arguments that day in similar proposed class-action lawsuits filed against other Indiana health care providers, including Goshen Health, Hancock Regional Hospital in Greenfield and Methodist Hospitals in Gary
The lawsuit against CRH, filed on the Indiana Commercial Court docket in Marion Superior Court 1 in Indianapolis, claims that CRH embedded tracking technology on its website that collects and shares information about its patients with Meta, Google, Microsoft, Adobe Inc., DoubleClick, Marchex and “potentially others,” according to an amended complaint filed in January.
This allegedly includes the content that users searched for on CRH’s website, the buttons they clicked on, the forms they submitted, the events they registered for, when they assessed the patient portal and paid bills, the terms they searched for and the doctors they sought, the lawsuit states.
CRH is seeking, among other things, to overturn a federal judge’s decision in October to remand the case to state court. Since being filed last year, the lawsuit has bounced between the state and federal court systems.
CRH has sought to move the lawsuit to federal court, arguing, among other things, that the complaint involves alleged violations of federal privacy standards, court records show.
Attorneys representing CRH said in a court filing they planned to argue in federal court that the hospital system did not violate federal privacy standards, and the “specific information that is purportedly ‘disclosed’ are outside of the purview of protected health information.”
However, a federal judge sent the lawsuit back to Marion Superior Court on Oct. 10, finding, among other things, that using alleged violations of federal standards as evidence for civil liability under state law does not, by default, confer jurisdiction to a federal court.
In November, CRH filed the appeal. The hospital system also filed a motion to pause the order sending the case to state court until the federal appeals court weighs in.
In February, a federal judge denied CRH’s motion, determining, among other things, that the hospital system “is unlikely to face prejudice in state court” and that “delay here only benefits” CRH.
Last month, CRH filed a separate motion in state court seeking to dismiss the lawsuit on procedural grounds, arguing that the plaintiffs did not comply with state laws on bringing tort claims against a local governmental entity. A Marion County judge has scheduled a hearing on May 8 to consider the motion.
More specifically, CRH argues that the plaintiffs did not file a notice of a tort claim or give the hospital system 90 days as required by law to investigate the claim before they filed the lawsuit. A tort is an act or omission that results in injury or damage that may entitle an affected party to seek damages, often in the form of monetary compensation, according to the Cornell Law School’s Legal Information Institute.
The plaintiffs “did not wait 90 days to initiate a suit — they sued immediately, then amended their complaint 90 days later to formally list their tort theories,” the motion states. No decision had been made on the motion as of Tuesday morning.
CRH officials have declined to comment on the lawsuit, citing the pending litigation.
“In order to protect the integrity of a pending case, Columbus Regional Health refrains from comment on active litigation matters,” CRH spokeswoman Kelsey DeClue said previously in a statement to The Republic. “However, our organization intends to vigorously defend against these claims.”
The allegations against CRH come as a growing number of hospitals and health systems across the country face lawsuits that allege they disclosed private patient data to tech giants through tracking technology on their website and other online platforms.
The lawsuits largely involve the use of tracking technology called tracking pixels, which are pieces of computer code embedded into a website that can track and record a range of personal data on how a user interacts with the website, including information that users have typed in a form while on the website, according to the Federal Trade Commission’s Office of Technology.
Pixels can be hidden from view, and blocking third-party cookies may not prevent pixels from collecting and sharing information. Businesses commonly use them to track consumer behavior and target them with advertisements based on their online activity.
Many of the lawsuits, including the one filed against CRH, mention the use of the Meta Pixel, a tracking pixel developed by Facebook parent company Meta.
Meta has described the Meta Pixel as “a snippet of JavaScript code that loads a small library of functions” that can track Facebook ad-driven visitor activity on a website and “match website visitors to their respective Facebook user accounts.”
Court filings have alleged that the Meta Pixel can track information about a visitor’s device, including IP address and the pages viewed. It also can be configured to track search terms, button clicks and form submissions.
However, it is unclear how CRH had configured those tools or if it even used them at all. The original complaint and amended complaint do not specify how the plaintiffs concluded that CRH uses the tracking pixels, though the amended complaint provides alleged examples of the tools being used.
The issue of tracking technologies in health care settings came to light in June 2022 after a report by tech publication The Markup found that the Meta Pixel was installed on 33 of Newsweek’s top 100 hospitals in the country, including Johns Hopkins Hospital, UCLA Reagan Medical Center and Duke University Hospital.
The publication said former regulators, health data security experts and privacy advocates reviewed the report’s findings and found the hospitals’ use of the tracking tool may have violated HIPAA.
Since then, lawsuits have been filed against Cedars-Sinai Health System in Los Angeles, Rush University System for Health in Chicago, U of L Health in Louisville, LCMC Health in New Orleans, among several others across the country.
