Lawsuit alleges Baystate shared patient health data with Meta, Google

---

A Ludlow woman who used Baystate Health’s website to schedule a mammogram says she had no idea the hospital was sending details about her online activity to Meta and Google.

According to a federal class-action lawsuit, Baystate’s website transmitted patients’ health care-related activity, including clicks, search terms, and appointment requests, to the tech companies for more than two years. The hospital, meanwhile, told users it was “committed to protecting your privacy” and promised not to disclose information without written permission.

Hospitals nationwide have faced similar lawsuits. In 2022, Mass General Brigham in Boston paid $18.4 million to settle tracking claims. Earlier this year, Aspen Dental agreed to an $18.5 million settlement, and Mammoth Hospital in California settled by offering patients cash and credit monitoring, according to the HIPAA Journal.

The Baystate lawsuit argues that the not-for-profit hospital system used the tools not to serve patients but to “enrich itself” through advertising and data analytics. In court filings, Baystate has denied wrongdoing, saying that data from its public website doesn’t qualify as protected health information under the Health Insurance Portability and Accountability Act, or HIPAA.

Neither Baystate Health, nor the law firms Berger Montague and Shapiro and Teitelbaum LLP, who are representing the plaintiff, returned requests for comment.

The Ludlow plaintiff, identified as Jane Doe, has been a Baystate patient for over a decade, according to her lawsuit. She says that between November 2021 and April 2023, Baystate’s website shared her online activity through embedded Meta Pixel and Google Analytics tracking tools, without her knowledge or consent. Doe says she discovered about 80 Meta disclosures through Facebook’s Off-Facebook Activity report. 

The complaint says the data was tied to unique identifiers, like her IP address and Facebook ID cookie, allowing others to link her health-related browsing to her identity.

“Plaintiff and other patients were left shocked and distressed that Baystate was illegally disclosing their private health care information,” Doe’s attorneys wrote in a court filing. “The resulting harms are continuing, as confidential information cannot be retrieved once it has been disclosed and are now being used by third parties for their own purposes.”

---

The Shoestring is powered by donations from readers like you, and now through the end of the year, those donations are matched. Can you make a tax-deductible gift today?

---

Doe initially filed the lawsuit in Suffolk County Superior Court in August 2023. It moved to federal court in February 2025 after she added claims under the Electronic Communications Privacy Act (ECPA). The statute allows for damages of up to $10,000 per violation, meaning Baystate could be ordered to pay out tens or hundreds of millions of dollars, depending on the number of users tracked.

Doe is also suing under Massachusetts privacy and patient confidentiality laws and accuses Baystate of breaching an implied agreement not to disclose her private information without her consent. She alleges that Baystate violated its own HIPAA privacy notice, which states, “We never share your information [for sales or marketing purposes] unless you give us written permission.” The hospital also assured users that they could “visit most areas [of our website] without identifying yourself,” and that any cookie used “identifies only your browser.”

The lawsuit says the tools monitored how users moved through the site, including their searches, page visits, and clicks to register for support groups or log in to the patient portal. The suit also alleges that Baystate didn’t enable Google’s IP anonymization feature, which would have prevented the sharing of full IP addresses. That made it easier, according to the complaint, to link patients’ online activity to their identities, potentially violating federal privacy rules.

Baystate is asking the court to dismiss the case, arguing that Doe “does not identify any specific protected health information she provided to Baystate through its public website, let alone what specific information was improperly disclosed to third parties.” Doe’s lawyers acknowledge that the Off-Facebook Activity report was “incomplete.” But they say the way Baystate deployed Google and Meta code across its public site is enough, for now, to claim protected health information was shared, writing, “Discovery will show the full scope of Defendant’s disclosures to Meta and Google.”

Baystate contends that data about how people use its public website is not protected health information. It cites a 2024 federal court decision in American Hospital Association v. Becerra, in which a judge wrote that activity on a hospital’s public website “does not and cannot identify an individual or the individual’s PHI.” It also mentions a separate federal court decision that dismissed a similar suit, stating, “The disclosure of data regarding what health care information someone searches for and whether someone clicks on the patient portal link does not necessarily implicate HIPAA,” a federal patient privacy law enacted in 1996.

Baystate points out that Doe does not claim any tracking took place within the secure portal and says the case is only about data collected on public-facing pages. 

Doe’s lawsuit says tracking her clicks on the “patient log in” button and sending that information, along with her IP address and Facebook ID, to third parties effectively revealed her status as a Baystate patient, which she argues is protected health information under HIPAA.

Baystate says it didn’t violate the ECPA because it was a party to the communication between users and its website. The federal wiretap law allows one participant to monitor a conversation without the consent of the others involved. Doe, however, argues that an exception to that rule applies because Baystate collected and shared the data for a criminal or “tortious” purpose, meaning a wrongful act under civil law.

Baystate denies any wrongdoing, saying it used tracking technology for legitimate business purposes like digital advertising and site optimization. In its filings, the nonprofit argues that using web analytics tools isn’t the same as the kind of criminal surveillance targeted by federal wiretap laws.

Baystate removed the Meta Pixel from its website by April 2023, according to Doe’s lawsuit. She says the move came amid increased legal and public scrutiny following a 2022 investigation by The Markup that revealed hospitals were sharing sensitive patient data with Facebook via tracking tools. The lawsuit notes that Baystate made the change shortly before the Federal Trade Commission and the Department of Health and Human Services put out a joint bulletin warning health systems about the privacy risks associated with those tools. Doe says the hospital also added a cookie-consent pop-up in January 2023. Baystate’s court filings do not say whether internal reviews, patient complaints, or government warnings prompted the moves.

In a filing supporting Baystate, the U.S. Chamber of Commerce, which bills itself as “the world’s largest business organization,” argues the lawsuit tries to use federal wiretap law to enforce HIPAA — something only government agencies, not individuals, are allowed to do. The chamber points out that HIPAA does not give patients the right to sue directly over privacy violations, leaving enforcement to federal regulators and state attorneys general. It warns that letting this case go forward on that theory could open the door to lawsuits Congress never authorized and expose hospitals to massive penalties.

Expanding liability, the group said, could end up “diverting resources away from patient care and innovation” and “penalize the use of beneficial website analytics and marketing tools that healthcare providers and many other businesses rely on to improve user experience and public-health outcomes.”

The lawsuit argues that the hospital’s website could function without the tracking codes, noting that Baystate later removed the Meta Pixel but kept Google Analytics running on its main site, baystatehealth.org.

The case remains under review.