Landmark consumer protection cases in healthcare, HIPAA violations, fake reviews enforcement, and behavioral health facility litigation spanning 2020-2025
Major settlements involving healthcare providers' use of tracking technology that disclosed protected health information to third-party advertisers, establishing precedent for digital privacy violations in medical contexts.
Advocate Aurora Health, one of the nation's largest healthcare systems, settled claims that it used Facebook tracking pixels to retarget consumers based on medical tests and procedures. The facility transmitted protected health information of 2.5 million patients to Facebook without authorization, enabling Facebook to create targeted advertising profiles based on sensitive medical data including appointments, search queries within patient portals, and healthcare services accessed.
Establishes that healthcare providers bear liability for third-party tracking technology even when implemented by vendors. The $12.2 million settlement demonstrates substantial damages exposure for systematic privacy violations affecting millions of patients. Courts recognized that "de-identified" data transmitted with tracking pixels could be re-identified when combined with other information held by advertising platforms.
MarinHealth reached a $3 million settlement for its use of the Meta Pixel tracking tool on its website between 2019 and 2025. The facility embedded Facebook tracking code on patient-facing web pages including appointment scheduling, symptom checkers, and physician directories. This implementation transmitted patient browsing behavior, search queries, and appointment selections directly to Facebook's advertising infrastructure.
The six-year duration of violations demonstrates that courts will impose liability for historical privacy breaches regardless of when plaintiffs discovered the violation. Settlement per-patient damages calculation provides framework for valuing systematic privacy violations at scale. Case establishes that healthcare websites must treat all patient interactions as PHI subject to HIPAA protection.
University of Rochester Medical Center settled for $2.85 million related to tracking technology deployed on both its public website and its MyChart patient portal. The particularly egregious aspect of this case involved tracking pixels embedded within the authenticated patient portal environment where patients accessed lab results, medical records, prescription histories, and direct communications with healthcare providers.
Establishes heightened liability for tracking technology deployed within authenticated patient portals versus public-facing websites. Courts recognize that patient portal activity reveals more sensitive medical information than general website browsing. Case demonstrates that academic medical centers face the same liability as private healthcare systems despite research and educational missions.
Hospital Sisters Health System settled a class action lawsuit for $7.6 million following an August 2023 cyberattack that compromised the protected health information of approximately 883,000 patients. The settlement addressed claims that the healthcare system failed to implement adequate cybersecurity safeguards and delayed notification to affected patients.
Reinforces that healthcare organizations bear liability not only for affirmative privacy violations but also for negligent security practices enabling third-party breaches. Per-patient settlement value of approximately $8.60 provides baseline for calculating damages in large-scale healthcare data breach litigation.
Federal Trade Commission enforcement actions targeting deceptive practices, fake reviews, and privacy violations in the mental health and substance abuse treatment sectors, demonstrating aggressive regulatory scrutiny of behavioral health providers.
The Federal Trade Commission sued Florida-based Evoke Wellness, LLC and Evoke Health Care Management and their officers in January 2025 for using deceptive Google search ads and telemarketing to masquerade as other substance use disorder treatment providers. The defendants purchased Google Ads using competitors' names and trademarks, causing patients seeking specific treatment facilities to be redirected to Evoke's programs under false pretenses.
Demonstrates FTC willingness to pursue behavioral health facilities for digital marketing deception. The $1.9 million civil penalty represents one of the largest FTC enforcement actions in the substance abuse treatment sector. Case establishes that patient vulnerability and medical urgency are aggravating factors warranting enhanced penalties. Settlement permanently bars defendants from misrepresenting facility identity—creating industry precedent for honest marketing practices.
The FTC reached a landmark $7.8 million settlement with BetterHelp, the world's largest online therapy platform, over allegations that it used and revealed sensitive consumer health data for advertising purposes. BetterHelp promised users that their personal health information would remain private but then shared email addresses, IP addresses, and mental health intake questionnaire responses with Facebook, Snapchat, Criteo, and Pinterest for targeted advertising.
First major FTC enforcement action targeting online mental health platforms specifically for health data privacy violations. Establishes that mental health platforms face heightened privacy obligations even when not technically covered by HIPAA. The 800,000 affected users receiving refunds creates precedent for consumer redress in privacy violation cases. Settlement permanently prohibits BetterHelp from disclosing health data for advertising—setting industry standard for telehealth privacy practices.
The FTC's action against Cerebral, another major online mental health platform, resulted in more than $5 million in refunds to consumers as a result of deceptive cancellation practices. Cerebral made it difficult for consumers to cancel subscriptions, buried cancellation processes in complex account settings, and continued billing patients who attempted to cancel but were unable to navigate the intentionally confusing cancellation interface.
Establishes FTC enforcement priority targeting "dark patterns" and subscription traps in mental health services. Demonstrates that behavioral health platforms cannot exploit patient dependency on ongoing treatment to prevent cancellation. The substantial consumer refund requirement creates deterrent effect against manipulative subscription practices in healthcare contexts where patients may be particularly vulnerable to retention tactics.
The operators of telemedicine company Southern Health Solutions, Inc., doing business as Next Medical and NextMed, settled FTC charges that they used deceptive claims about costs and weight loss, fake reviews, and fake testimonials to lure consumers into buying weight-loss membership programs with hidden terms and conditions. The company fabricated customer testimonials and posted fake positive reviews on its website and third-party platforms.
First FTC settlement explicitly addressing fake reviews in telehealth/behavioral health context. Establishes that healthcare providers using fake testimonials face consumer refund obligations plus civil penalties. The $150,000 settlement, though smaller than other cases, demonstrates FTC willingness to pursue enforcement even against smaller telehealth operators. Creates precedent that fake reviews in healthcare contexts warrant regulatory intervention distinct from general e-commerce fake review enforcement.
Recent Federal Trade Commission enforcement under the landmark Consumer Reviews and Testimonials Rule (16 C.F.R. Part 464, effective October 21, 2024), establishing new standards prohibiting review suppression, fake reviews, and coercive review solicitation across all industries.
The Federal Trade Commission issued warning letters to ten companies across multiple industries for possible violations of the agency's Consumer Reviews and Testimonials Rule. The warned companies allegedly engaged in prohibited practices including suppressing negative reviews, conditioning services on positive reviews, and using fabricated testimonials. This enforcement action represents the FTC's first public demonstration of active Consumer Review Rule enforcement.
Establishes FTC enforcement priorities under new Consumer Review Rule. Warning letters signal that FTC is actively monitoring review practices across industries and willing to pursue civil penalties up to $51,744 per violation. The multi-industry approach demonstrates that healthcare providers face identical review integrity standards as e-commerce, hospitality, and service businesses. Companies receiving warnings have limited time to remediate practices before facing formal enforcement actions with substantial financial penalties.
The FTC's Consumer Reviews and Testimonials Rule codifies longstanding prohibitions against fake reviews and establishes new protections for consumer review rights. The Rule explicitly prohibits businesses from: writing or selling fake reviews; suppressing negative reviews while soliciting positive ones; using unfounded legal threats to prevent reviews; misrepresenting reviews as independent when they come from insiders; and buying positive or negative reviews about competitors.
Establishes federal floor for review integrity applicable to all businesses including healthcare providers. The per-violation penalty structure means that systematic review solicitation affecting hundreds of patients creates potential liability in the millions of dollars. Rule explicitly confirms that practices violating these standards have always constituted unfair and deceptive trade practices under Section 5 of the FTC Act—enabling potential retroactive enforcement for pre-October 2024 violations through general FTC authority.
Department of Health and Human Services Office for Civil Rights settlements involving healthcare providers' improper disclosure of protected health information in connection with online reviews and reputation management.
Elite, a privately-owned dental practice, agreed to pay $10,000 to settle allegations that it disclosed patients' protected health information in response to reviews posted on Yelp. The practice responded to negative Yelp reviews by disclosing specific treatment details, appointment dates, and clinical observations in an attempt to rebut patient criticism and defend the practice's reputation.
Establishes that healthcare providers cannot disclose any protected health information in review responses even when responding to patient-initiated public criticism. The $10,000 settlement for a single small dental practice demonstrates that OCR will pursue enforcement against providers of all sizes. Case creates bright-line rule: healthcare providers may acknowledge reviews generically but must never confirm patient identity, treatment details, or clinical information in public responses regardless of review content.
The Department of Health and Human Services Office for Civil Rights imposed a $30,000 penalty against Manasa Health Center and required implementation of a Corrective Action Plan for disclosing protected health information in responding to negative online reviews. The behavioral health facility responded to Google reviews with specific details about patients' mental health diagnoses, treatment participation, and behavioral incidents.
Establishes enhanced liability for behavioral health facilities disclosing mental health information in review contexts. The Corrective Action Plan requirement demonstrates that systematic review response violations trigger ongoing compliance monitoring beyond monetary penalties. Settlement creates precedent that behavioral health PHI warrants heightened protection compared to general medical information given sensitivity and stigma associated with mental health treatment.
New Vision Dental reached a $23,000 settlement with HHS Office for Civil Rights for disclosing protected health information in Yelp review responses. The dental practice responded to negative reviews by revealing specific procedures performed, billing disputes, and patient payment histories in attempts to justify practice billing practices and defend against fraud allegations.
Reinforces that financial information related to healthcare services constitutes protected health information subject to HIPAA privacy protections. Settlement demonstrates that providers cannot use PHI defensively to rebut allegations of improper billing or practice management even when patient initiates public discussion. The $23,000 penalty for responses to a limited number of reviews establishes that per-disclosure damages can be substantial.
If you experienced coerced review solicitation, privacy violations, or deceptive practices at a behavioral health facility, you may be entitled to substantial compensation.
Generate Your Demand Letter