
Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.
Thank you!
Please check your email to view the guide.

On May 11, 2026, the US District Court for the District of Minnesota granted preliminary approval to a $12.5 million class action settlement resolving allegations that Allina Health System violated the Electronic Communications Privacy Act (ECPA), among other privacy laws, by disclosing patients' personal and health information to advertising third parties through tracking pixels on its websites.
Allina is a Minnesota health system. The plaintiffs allege that tracking technologies on Allina's websites, applications, servers, and webpages disclosed visitor information to Meta and Google. The settlement class period runs from September 16, 2018 to May 11, 2026.
The complaint describes tracking pixels, cookies, and other tracking technologies sending PII, PHI, and sensitive medical information to Meta/Facebook and Google.
Allina's own 2023 notice provides useful context. A forensic firm determined in late February 2023 that tracking pixels were sending protected information to Google Analytics, affecting about 1,000 people.
The data may have included:
Allina says it has removed the code.
The $12.5 million fund allocates $10,303,098 to Group 1 (portal, bill-pay, and scheduling users, about 1,585,092 people) and $2,196,902 to Group 2 (about 946,231 people), paid pro rata after fees and costs.
The settlement is expressly not an admission of liability. The final approval hearing is set for September 24, 2026, with an opt-out and objection deadline of August 10 and a claims deadline of September 8.
In 2023, Alina self-reported this incident as covering around 1,000 people and Google Analytics. However, the litigation reaches an estimated 2.5 million people and both Meta and Google over a multi-year class period.
One important lesson here is the distance between Allina's 2023 incident review and the eventual scope of the class action. Pixel exposure is often far broader than an initial assessment suggests, because trackers fire across dozens of portals and webpages, not just the public marketing site.
The governance question for both privacy and marketing teams is whether the tracking inventory captures every pixel on authenticated and transactional pages, and whether the organization knows which third parties receive data and which fields they receive.
Privado AI's Web Auditor and App Auditor continuously scan public and authenticated pages to flag pixels that fire before consent and map exactly which third parties receive personal data, so a tracking incident does not quietly expand into a class action.