**Sutter Health, Lemonaid Health, and Redeemer Health Settle Pixel Data Breach Lawsuits**
Three healthcare providers—Sutter Health, Lemonaid Health, and Redeemer Health—have reached settlements in class action lawsuits alleging unauthorized disclosures of patient data via website tracking technologies, including pixels, cookies, and web beacons. These tools, commonly used for analytics and marketing, were accused of transmitting protected health information (PHI) to third parties like Meta and Google without proper consent or compliance with HIPAA regulations.
Sutter Health
The California-based nonprofit health system faced consolidated lawsuits (Jane Doe I and Jane Doe II v. Sutter Health) over claims that its website and patient portal shared PHI with third parties. The case proceeded on allegations of violating the California Invasion of Privacy Act (CIPA) and breaching express and implied contracts. A $21.5 million settlement was approved, with no admission of wrongdoing. Class members—California residents who accessed Sutter’s MyHealthOnline portal between June 10, 2020, and March 20, 2020—may receive up to $90 each. Remaining funds will go to privacy-focused nonprofits. The final fairness hearing is set for February 27, 2026, with a claim deadline of January 28, 2026.
Lemonaid Health
The telemedicine provider, owned by 23andMe, settled a lawsuit (A.J. v. Lemonaid Health) alleging its website shared PHI with Meta and Google via tracking pixels. The case was transferred to bankruptcy court after the defendants filed for Chapter 11. A $3.25 million settlement fund was established, with approximately 35,000 class members eligible for one-time payments. The final fairness hearing is scheduled for January 20, 2026, with objections due by January 5, 2026, and claims by February 23, 2026.
Redeemer Health
The Pennsylvania-based Catholic healthcare provider settled consolidated lawsuits (Doe v. Redeemer Health) over allegations that its websites and patient portals transmitted PHI to third parties without consent. The settlement offers class members a $25 cash payment and a year of dark web monitoring via CyEx Privacy Shield Pro. The final approval hearing is set for February 9, 2026, with claims due by January 9, 2026.
All three cases highlight the risks of tracking technologies in healthcare, where PHI exposure can lead to legal and regulatory scrutiny. The settlements reflect ongoing concerns over compliance with HIPAA and state privacy laws.
Sutter Health cybersecurity rating report: https://www.rankiteo.com/company/sutter-health
"id": "SUT1765814693",
"linkid": "sutter-health",
"type": "Breach",
"date": "6/2025",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"{'affected_entities': [{'customers_affected': 'California residents who logged '
'into Sutter Health '
'MyHealthOnline portal (June 10, '
'2025, to March 20, 2020)',
'industry': 'Healthcare',
'location': 'Sacramento, California, USA',
'name': 'Sutter Health',
'type': 'Non-profit Integrated Health Delivery System'},
{'customers_affected': 'Approximately 35,000 class '
'members',
'industry': 'Healthcare/Telemedicine',
'location': 'USA',
'name': 'Lemonaid Health',
'type': 'Telemedicine Platform Provider'},
{'industry': 'Healthcare',
'location': 'Huntingdon Valley, Pennsylvania, USA',
'name': 'Redeemer Health',
'type': 'Catholic Healthcare Provider'}],
'attack_vector': 'Website Tracking Technologies (Pixels, Cookies, Web '
'Beacons, JavaScript)',
'customer_advisories': 'Class members notified of settlement terms and claim '
'deadlines',
'data_breach': {'data_exfiltration': 'Transmitted to third parties (Meta, '
'Google, etc.)',
'personally_identifiable_information': 'Yes (health '
'information, user '
'activity data)',
'sensitivity_of_data': 'High (health-related, personally '
'identifiable)',
'type_of_data_compromised': ['Personally identifiable health '
'information (PHI)',
'Protected health information '
'(HIPAA-protected data)']},
'description': 'Settlements have been agreed to resolve class action lawsuits '
'against three healthcare providers – Sutter Health, Lemonaid '
'Health, & Redeemer Health – that alleged unlawful disclosures '
'of individually identifiable patient information to third '
'parties via website tracking technologies such as pixels.',
'impact': {'brand_reputation_impact': 'Likely negative impact due to lawsuits '
'and settlements',
'data_compromised': 'Personally identifiable health information '
'(PHI), protected health information '
'(HIPAA-protected data)',
'financial_loss': {'Lemonaid Health': '$3,250,000 settlement',
'Redeemer Health': None,
'Sutter Health': '$21,500,000 settlement'},
'identity_theft_risk': 'High (exposure of PHI and PII)',
'legal_liabilities': 'Class action lawsuits, regulatory scrutiny',
'systems_affected': ['Websites', 'Patient Portals']},
'investigation_status': 'Settled (preliminary approval granted, final '
'fairness hearings scheduled)',
'lessons_learned': 'Healthcare organizations must ensure compliance with '
'HIPAA when using tracking technologies on authenticated '
'pages (e.g., patient portals). Business associate '
'agreements or HIPAA-compliant authorizations are required '
'for third-party data sharing.',
'motivation': 'Data Collection for Marketing/Third-Party Use',
'post_incident_analysis': {'corrective_actions': 'Settlements include cash '
'payments to affected '
'individuals and, in some '
'cases, credit monitoring '
'services (e.g., CyEx '
'Privacy Shield Pro for '
'Redeemer Health).',
'root_causes': 'Improper use of tracking '
'technologies on patient portals '
'without HIPAA-compliant '
'safeguards, leading to '
'unauthorized data sharing with '
'third parties (Meta, Google, '
'etc.).'},
'recommendations': ['Review and audit website tracking technologies for '
'compliance with HIPAA and state privacy laws.',
'Obtain HIPAA-compliant authorizations or establish '
'business associate agreements for third-party tracking '
'tools on authenticated pages.',
'Monitor regulatory guidance on tracking technologies and '
'adjust practices accordingly.',
'Implement enhanced monitoring and controls for data '
'shared with third parties.'],
'references': [{'source': 'HIPAA Journal'}],
'regulatory_compliance': {'legal_actions': 'Class action lawsuits, partial '
'vacatur of HHS guidance',
'regulations_violated': ['HIPAA',
'California Invasion of '
'Privacy Act (CIPA)',
'State privacy laws',
'Wiretapping laws']},
'response': {'communication_strategy': 'Settlement announcements, legal '
'filings'},
'title': 'Sutter Health, Lemonaid Health, & Redeemer Health Settle Pixel Data '
'Breach Lawsuits',
'type': 'Data Breach',
'vulnerability_exploited': 'Improper use of tracking technologies on '
'authenticated pages (patient portals) without '
'HIPAA-compliant authorizations or business '
'associate agreements'}