Roughly 800,000 Duke Health patients who logged into the MyChart portal face an August 16 deadline to file claims in a $3.74 million privacy settlement. The case centers on allegations that the health system’s patient portal transmitted sensitive user data to third-party tracking tools. Those who miss the cutoff forfeit any share of the fund.
Why the Duke Health MyChart settlement demands attention now
The settlement addresses a specific problem that has rattled hospitals and health systems across the country: the use of tracking pixels, cookies, and similar analytics code embedded in patient-facing websites and apps. When a patient logs into a portal like MyChart to schedule an appointment, review lab results, or message a provider, those interactions can generate data that identifies the individual and reveals their medical interests. If tracking tools transmit that data to advertising platforms or analytics vendors, the health system may have exposed protected health information without patient consent.
Federal regulators have already drawn a clear line on this issue. The U.S. Department of Health and Human Services Office for Civil Rights issued detailed guidance on tracking explaining that HIPAA obligations apply when covered entities deploy pixels and cookies, and that web interactions with those entities may constitute protected health information or individually identifiable health information. That guidance puts hospitals on notice: routine analytics tools can trigger the same legal duties as a misfiled medical record.
The Duke Health settlement is not an isolated episode. Hospitals using major electronic health record portals are likely to accelerate the removal or reconfiguration of third-party tracking code over the next year to avoid similar class-action exposure, even without new federal rules on the books. The financial and reputational cost of a settlement, combined with explicit regulatory guidance, creates strong incentive to act. Health systems that delay risk becoming the next defendant in a privacy class action built on the same theory of liability.
Federal enforcement and HIPAA guidance behind the claims
Two federal actions frame the legal environment surrounding the Duke Health case. The HHS OCR guidance made explicit that HIPAA-covered entities cannot treat website analytics as a compliance-free zone. When a hospital places a tracking pixel on a page where patients enter login credentials, search for providers, or interact with health content, the data collected may qualify as protected health information under federal law. That distinction matters because it extends HIPAA’s privacy requirements beyond traditional clinical records into the digital tools patients use every day.
Separately, the Federal Trade Commission took action against GoodRx for sharing consumers’ sensitive health information with advertising partners. While GoodRx operates under a different legal framework than HIPAA-covered hospitals, the FTC’s move signaled that federal agencies are willing to pursue companies that treat health-related browsing and app data as fair game for ad targeting. Together, these actions establish that both HIPAA regulators and the FTC view the unauthorized sharing of health data through tracking technologies as a serious violation, not a technical oversight.
Open questions for eligible Duke Health patients
Several details about the settlement remain unclear from publicly available records. The exact data-sharing practices at issue, the specific third-party recipients of patient data, and whether Duke Health admitted to any wrongdoing are not fully spelled out in the summaries available to patients. As with many class-action resolutions, the health system appears to contest key allegations while agreeing to pay into a fund to avoid the uncertainty and expense of continued litigation.
For affected patients, the most immediate question is whether to submit a claim before the August 16 deadline. Class members typically qualify if they used the MyChart portal during the period when tracking technologies were active, but eligibility and payout formulas are defined in the official settlement notice and claim form. Patients who believe their data was exposed but do not file in time will generally be bound by the settlement’s release of claims without receiving compensation, closing off future individual lawsuits based on the same underlying conduct.
Another unresolved issue is what specific remedial steps Duke Health has taken or will take to prevent similar incidents. Settlements of this type often include commitments to review or limit third-party code, strengthen vendor contracts, and enhance privacy disclosures. Without detailed public reporting, patients may not know exactly how the portal has changed, only that the health system has faced legal pressure to align its digital practices with evolving privacy expectations.
What the case signals for hospital portals and patients
The Duke Health MyChart settlement underscores how quickly routine web design choices can become legal flashpoints once they intersect with health information. Hospitals that once relied on off-the-shelf analytics now face the task of mapping every data flow, evaluating each vendor relationship, and determining whether tracking code is truly necessary on pages where patients log in or interact with health-related content. For many, the safest path will be to sharply curtail third-party tools or to route analytics through business associate agreements that squarely acknowledge HIPAA obligations.
Patients, meanwhile, may become more cautious about assuming that a portal login guarantees airtight privacy. Even when no diagnosis codes or lab values are exposed, the combination of IP address, device identifiers, appointment types, and portal navigation paths can paint a detailed picture of someone’s health concerns. The Duke Health settlement does not answer every question about how such data should be handled, but it sends a clear message: health systems will be held accountable for the invisible tracking code that rides along with otherwise routine online care.
