CIPA Litigation Prevention Guide

Understand why CIPA lawsuits are rising and how to minimize privacy risk on your website.

Thank you!
Please check your email to view the guide.

Allina Health settles $12.5M ECPA lawsuit for sharing patient data via web tracking pixels

July 6, 2026
5
 mins read
Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm
Allina Health settles $12.5M ECPA lawsuit

On May 11, 2026, the US District Court for the District of Minnesota granted preliminary approval to a $12.5 million class action settlement resolving allegations that Allina Health System violated the Electronic Communications Privacy Act (ECPA), among other privacy laws, by disclosing patients' personal and health information to advertising third parties through tracking pixels on its websites.

  • Allina allegedly used tracking pixels, cookies, and other tracking technologies to disclose website visitors' personal information (PII), protected health information (PHI), and sensitive medical information to Meta/Facebook and Google
  • The pleaded claims included the Minnesota Health Records Act, the federal Electronic Communications Privacy Act (ECPA), the Minnesota Unfair and Deceptive Trade Practices Act, invasion of privacy, breach of implied contract, unjust enrichment, breach of fiduciary duty, breach of confidence, and negligence
  • ECPA is the federal version of the California Invasion of Privacy Act (CIPA), which has driven most privacy lawsuits since 2022, and ECPA is typically included in the CIPA lawsuit complaints 
  • Allina agreed to a $12.5 million fund split across two settlement classes covering roughly 2.5 million people, and denies any wrongdoing

What is this case about?

Allina is a Minnesota health system. The plaintiffs allege that tracking technologies on Allina's websites, applications, servers, and webpages disclosed visitor information to Meta and Google. The settlement class period runs from September 16, 2018 to May 11, 2026.

What data was allegedly shared, and with whom?

The complaint describes tracking pixels, cookies, and other tracking technologies sending PII, PHI, and sensitive medical information to Meta/Facebook and Google.

Allina's own 2023 notice provides useful context. A forensic firm determined in late February 2023 that tracking pixels were sending protected information to Google Analytics, affecting about 1,000 people. 

The data may have included: 

  • Name
  • Date of birth
  • IP address
  • Limited clinical information such as symptoms or diagnoses, medications, lab and imaging results, and in a few cases insurance card numbers. 

Allina says it has removed the code.

What are the settlement terms?

The $12.5 million fund allocates $10,303,098 to Group 1 (portal, bill-pay, and scheduling users, about 1,585,092 people) and $2,196,902 to Group 2 (about 946,231 people), paid pro rata after fees and costs.

The settlement is expressly not an admission of liability. The final approval hearing is set for September 24, 2026, with an opt-out and objection deadline of August 10 and a claims deadline of September 8.

What should privacy teams take from this?

In 2023, Alina self-reported this incident as covering around 1,000 people and Google Analytics. However, the litigation reaches an estimated 2.5 million people and both Meta and Google over a multi-year class period.

One important lesson here is the distance between Allina's 2023 incident review and the eventual scope of the class action. Pixel exposure is often far broader than an initial assessment suggests, because trackers fire across dozens of portals and webpages, not just the public marketing site.

The governance question for both privacy and marketing teams is whether the tracking inventory captures every pixel on authenticated and transactional pages, and whether the organization knows which third parties receive data and which fields they receive.

Key takeaways

  • Establish robust digital tracking governance to track all personal data elements shared and all third parties receiving personal data
  • Continuously audit websites and apps to ensure that user consent is actually honored and no sensitive data is shared
  • Run data protection assessments for any processing of personal data for targeted advertising, selling of personal data, or processing of sensitive data

Privado AI's Web Auditor and App Auditor continuously scan public and authenticated pages to flag pixels that fire before consent and map exactly which third parties receive personal data, so a tracking incident does not quietly expand into a class action.

Industry insights you won’t delete. Delivered to your inbox.

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Robert Bateman
Robert Bateman
Senior Partner at Privacy Partnership law firm

Get regular updates from Privado AI

Request free website audit

Request Privado AI demo

Continue Reading