Legacy Health has agreed to a class action settlement over data collection and sharing practices that will pay $15 to each affected individual, while the plaintiffs' attorneys seek $2.2 million in legal fees. As The Lund Report reports, the settlement resolves allegations about how Legacy handled patient data — an increasingly common legal exposure for health systems that have deployed website tracking pixels, third-party analytics tools, or data-sharing arrangements that may not have been adequately disclosed to patients.

The Legacy settlement fits a national pattern of healthcare data privacy litigation that has accelerated sharply since 2023. Hospitals and health systems across the country have faced lawsuits alleging that Meta Pixel, Google Analytics, and similar tracking technologies embedded in patient portals and appointment scheduling pages transmitted protected health information to third parties without consent. The FTC and HHS Office for Civil Rights have both signaled that web tracking technologies on healthcare websites can constitute HIPAA violations or unfair trade practices. The $15-per-person payout is modest, but the legal fees and reputational cost are substantial — and the precedent encourages future litigation against other Oregon health systems with similar digital infrastructure.

Every Oregon healthcare organization — from large systems to independent practices — should treat this settlement as a compliance wake-up call. IT and compliance teams need to audit every third-party script running on patient-facing websites, including scheduling platforms, telehealth portals, patient intake forms, and payment pages. The risk is not limited to large systems: any provider using a website with Google Analytics, Facebook tracking, or third-party chat widgets on pages where patients enter health information faces potential exposure. CCOs and health plans should also review their member-facing digital properties. The cost of a proactive audit is trivial compared to the legal and reputational exposure of a data-sharing complaint, and OHA has shown increasing interest in digital privacy as part of its health equity agenda.

Watch for whether other Oregon health systems — particularly OHSU, Providence, and Kaiser — face similar data-sharing complaints as plaintiff attorneys replicate the litigation model that succeeded against Legacy.