Henry Ford Health Lawsuit: Patient Data Shared Without Consent

A class action lawsuit accuses Henry Ford Health of secretly tracking and sharing patients' confidential medical data with third parties, including Facebook and Google, without their consent.

Consumers Affected: Patients who used Henry Ford Health's website or MyChart Patient Portal for medical-related activities.

Reason for Lawsuit: Allegations of unauthorized sharing of personal health information, violation of patient privacy, and failure to obtain informed consent for data collection and sharing.

Court: The class action lawsuit was filed in the U.S. District Court for the Eastern District of Michigan.

Henry Ford Health unlawfully discloses patients' confidential information to third parties, including Facebook and Google without patient consent, a new class action lawsuit alleges. The lawsuit comes as health organizations are increasingly under fire for the way they manage patient information, and facing mounting legal action for breaches of consumer privacy. 

In the case of Henry Ford Health, the healthcare provider uses third-party tracking technologies, including Facebook Pixel, Google Analytics, Google Tag Manager, and Google DoubleClickAds, to monitor patients and then sells their data on to private companies, the lawsuit alleges.

Henry Ford Health Accused of Secretly Tracking Patients' Medical Data For Over a Decade

Plaintiff Nina McClain filed the proposed class action lawsuit against Henry Ford Health, accusing the company of failing to protect patient information from unauthorized access, neglecting to obtain consent for data sharing, and not adequately informing patients about the presence of tracking technologies on its website. 

McClain says that because of Henry Ford’s “surreptitious collection and divulgence”, she, and many others, have suffered  invasion of privacy, loss of the value of their personal information, and ongoing risks to their private data. The violations are extremely serious data security and privacy issues, she argues. 

According to the lawsuit, since June 2015, Henry Ford Health has been using the third-party tracking technologies in its software, which patients use for various medical-related activities such as booking appointments, locating physicians, and accessing the MyChart Patient Portal. 

The MyChart Portal is particularly significant as it allows patients to manage their health records, pay bills, communicate with healthcare providers, and complete medical forms.

Patient Data Shared with Facebook & Google Without Consent

These tools allegedly track and collect user communications with the website and send this information to Facebook and Google without patient knowledge or consent. This data can include searches for specific health conditions and treatment options, appointment bookings, and other personal health information, potentially revealing sensitive details such as a patient's medical conditions and treatment plans.

The lawsuit claims that Facebook and Google use the collected data for various business purposes, including improving ad targeting and selling the information to third-party marketers. Facebook reportedly connects user data from Henry Ford Health's website to individual Facebook profiles, allowing for precise ad targeting based on the user's health information. Google similarly logs user data and uses it for personalized advertising, the lawsuit alleges.

The lawsuit also highlights the use of Facebook's Conversions Application Programming Interface (CAPI) by Henry Ford Health. Unlike the Facebook Pixel, which operates through the user's browser, CAPI tracks user interactions on the website and transmits this information directly from the healthcare provider's servers to Facebook. This method circumvents ad blockers and other privacy measures that users might employ.

Healthcare Data Breach Epidemic: Is Your Medical Information Safe?

It’s not just Henry Ford in the healthcare world who is dealing with data issues—the problem has become pervasive with healthcare providers. Healthcare data breaches have been steadily rising each year, according to the Department of Health and Human Services Office for Civil Rights.

Between 2009 and 2023, 5,887 healthcare data breaches of 500 or more records were reported to OCR. Those breaches have resulted in the exposure or disclosure of more than 500 million healthcare records.

The largest healthcare data breach since 2009 occurred at Anthem Inc. in 2015, The HIPAA Journal reports. The breach involved the records of 78.8 million individuals. The current Change Healthcare data breach fallout could prove to be worse. Almost 50 lawsuits filed against UnitedHealth Group after its Change Healthcare payment processing unit was hit with a cyberattack in February will be centralized in a Minnesota court, where the action will play out. 

Recently, California-based Kaiser Health was hit with a proposed class action lawsuit for very similar allegations to Henry Ford, with patients alleging it shared the personal information of more than 13.4 million patients with Google, X, and Microsoft without their knowledge and consent. The three plaintiffs accuse the healthcare provider of violating federal and state laws, and are suing for $1,000 per violation, which they say could total more than $13.4 billion in damages.

In her lawsuit, McClain is suing for violations of several laws including the Health Insurance Portability and Accountability Act (HIPAA). She is seeking statutory damages, compensation for losses, and an injunction to prevent Henry Ford Health from continuing these practices.

Case Details

• Lawsuit: McClain v. Health Ford Health
• Case Number: 2:24-cv-11739-DML-CI 
• Court: U.S. District Court for the Eastern District of Michigan 

Plaintiffs' Attorneys

• Nicholas A. Coulson and Julia G. Haghighi (Coulson P.C.)
• David S. Almeida and Elena A. Belov (Almeida Law Group LLC)
• Gary M. Klinger, Glen L. Abramson, and Alexandra M. Honeycutt (Milberg Coleman Bryson Phillips Grossman PLLC)