Novartis Faces Class Action Lawsuit Over Alleged Unauthorized Sharing of Patient Health Data
A Vermont-based cancer patient, identified as P.M., has filed a class action lawsuit against pharmaceutical giant Novartis, accusing the company of illegally sharing her sensitive health information with third parties, including Google and ContentSquare. The plaintiff, who received treatment with Novartis’ breast cancer therapy Kisqali, visited the drug’s website to access information and apply for a savings card only to later receive targeted advertisements related to her medical condition.
The complaint alleges that Novartis embedded tracking pixels and other tools on its website, transmitting P.M.’s private data without her consent. The lawsuit claims the company prioritized marketing and profits over patient privacy, leading to emotional distress and a violation of medical confidentiality.
This case is part of a growing trend of litigation in the U.S. and beyond, where corporations face accusations of unlawfully sharing user data via tracking technologies, particularly those from Google and Meta. Last month, New York’s Northwell Health settled a similar class action over data harvested from its patient portal, while a California federal court previously ruled that pixel-tracked data from public webpages did not constitute a breach of protected health information (PHI).
Novartis, one of the largest pharmaceutical companies targeted in such lawsuits, is under scrutiny for allegedly deploying these trackers across multiple product websites, including those for Cosentyx (immunology), Entresto (heart failure), Leqvio (cholesterol), and Pluvicto (prostate cancer). The plaintiff argues that the trackers violate HIPAA, the Electronic Communications Privacy Act (ECPA), and other legal protections, including breach of contract and fiduciary duty.
The lawsuit seeks an injunction against the use of tracking tools, damages, and legal fees. Given the widespread use of such technologies in the pharmaceutical industry, the case is expected to draw significant attention.
Source: https://pharmaphorum.com/news/patient-sues-novartis-claiming-data-tracking-privacy-breach
Novartis cybersecurity rating report: https://www.rankiteo.com/company/novartis
"id": "NOV1774449180",
"linkid": "novartis",
"type": "Breach",
"date": "2/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'Patients using Novartis drug '
'websites (e.g., Kisqali, '
'Cosentyx, Entresto, Leqvio, '
'Pluvicto)',
'industry': 'Healthcare/Pharmaceuticals',
'location': 'Global (headquartered in Switzerland)',
'name': 'Novartis',
'size': 'Large (multinational corporation)',
'type': 'Pharmaceutical company'}],
'attack_vector': 'Tracking pixels and third-party tools',
'data_breach': {'data_exfiltration': 'Yes (shared with Google and '
'ContentSquare)',
'personally_identifiable_information': 'Yes (health data, '
'browsing activity)',
'sensitivity_of_data': 'High (medical and personal data)',
'type_of_data_compromised': 'Patient health information, '
'personally identifiable '
'information (PII)'},
'description': 'A Vermont-based cancer patient filed a class action lawsuit '
'against Novartis, accusing the company of illegally sharing '
'her sensitive health information with third parties, '
'including Google and ContentSquare, via tracking pixels '
'embedded on its drug websites. The plaintiff alleges that '
'Novartis prioritized marketing and profits over patient '
'privacy, leading to emotional distress and violations of '
'medical confidentiality.',
'impact': {'brand_reputation_impact': 'Significant (allegations of '
'prioritizing profits over patient '
'privacy)',
'customer_complaints': 'Yes (class action lawsuit filed)',
'data_compromised': 'Patient health information, personally '
'identifiable information (PII)',
'identity_theft_risk': 'Potential (exposure of sensitive health '
'data)',
'legal_liabilities': 'Class action lawsuit, potential HIPAA and '
'ECPA violations',
'systems_affected': 'Novartis drug websites (e.g., Kisqali, '
'Cosentyx, Entresto, Leqvio, Pluvicto)'},
'investigation_status': 'Ongoing (lawsuit pending)',
'motivation': 'Marketing and profit',
'post_incident_analysis': {'root_causes': 'Use of tracking pixels and '
'third-party tools without explicit '
'patient consent'},
'references': [{'source': 'Class action lawsuit filing'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuit filed',
'regulations_violated': ['HIPAA',
'Electronic Communications '
'Privacy Act (ECPA)',
'Breach of contract',
'Breach of fiduciary '
'duty']},
'title': 'Novartis Faces Class Action Lawsuit Over Alleged Unauthorized '
'Sharing of Patient Health Data',
'type': 'Data Privacy Violation',
'vulnerability_exploited': 'Unauthorized data sharing via embedded trackers'}