Catholic Health System (CHS) is facing a proposed $20 settlement following class action allegations that information connected to its online patient portal may have been disclosed to third parties through common web and app tracking technologies. Patient portals—used for viewing test results, scheduling, billing, and messaging clinicians—often rely on analytics and advertising tools that can capture device identifiers, IP addresses, URLs visited, and in some cases details about interactions with health-related pages. Because health data is uniquely sensitive, even partial signals about a person’s treatment or portal activity can raise serious privacy concerns when shared beyond the healthcare provider’s systems. The lawsuit was filed on the theory that CHS improperly permitted or enabled such data flows without adequate notice or consent, potentially allowing third parties to infer patients’ healthcare relationships or activities. The settlement notice indicates eligibility for current or former CHS patients who logged into the portal or sought/received treatment between January 1, 2020 and December 11, 2025, with a claim deadline of 4/10/26 and no proof required—features that can make participation easier for affected patients. Its significance lies less in the dollar amount and more in reinforcing that digital front doors to care must be treated with the same rigor as traditional medical records, especially as portals become central to patient engagement. More broadly, the case fits into a growing wave of “pixel” and tracking-related healthcare privacy suits brought against hospitals and health systems nationwide, often alleging violations tied to the use of tools like Meta Pixel, Google Analytics, or similar SDKs. Regulators have also emphasized limits on sharing health information with marketing/analytics partners: HIPAA’s rules restrict disclosures of protected health information without a valid basis, and separate consumer-health privacy regimes and unfair/deceptive practices laws can apply when disclosures conflict with privacy promises or expectations. Together, these pressures are pushing providers to audit tracking scripts, tighten vendor contracts, minimize data collection, and redesign analytics so performance insights don’t come at the cost of patient confidentiality.