Duly Health and Care, operating as Midwest Physician Administrative Services, LLC, has agreed to pay $1.88 million to settle a class action lawsuit alleging the company secretly installed Meta Pixel tracking code on its patient portal without consent. The settlement, approved preliminarily and moving toward final approval after an April 7, 2026 hearing, compensates approximately 272,373 patients whose sensitive health-related communications were allegedly transmitted to Meta’s advertising platform during their use of the authenticated portion of the Duly website between July 24, 2020 and April 10, 2023. For example, when a patient logged into their account to message their doctor or view prescriptions, the Meta Pixel code allegedly tracked and reported this activity to Meta, potentially allowing the social media platform to build health profiles on users for targeted advertising purposes. This settlement represents one of several recent legal actions against healthcare providers for improperly installing third-party tracking pixels on patient-facing websites.
The core allegation centers on a fundamental breach of privacy expectations: patients using a secure, authenticated health portal assumed their interactions would remain private and confidential, not transmitted to advertising networks. Duly has denied all wrongdoing in the case, Mayer v. Midwest Physician Administrative Services, LLC, but agreed to the settlement to avoid further litigation costs and reputational damage. The claim deadline passed on March 2, 2026, meaning the window for filing claims has closed. However, understanding the settlement’s implications remains important for affected patients, particularly regarding what the case reveals about data protection in healthcare and what rights patients may have in similar future situations.
Table of Contents
- How Did Meta Pixel Tracking Code End Up on Duly’s Authenticated Patient Portal?
- Understanding the $1.88 Million Settlement Fund and Payout Structure
- Claim Deadlines and Where This Settlement Stands Today
- Who Qualifies as a Class Member and How to Verify Eligibility
- The Broader Privacy Implications of Undisclosed Health Data Tracking
- Historical Context—Similar Settlements and a Growing Pattern
- What Happens Next and What This Means for Healthcare Privacy
- Conclusion
How Did Meta Pixel Tracking Code End Up on Duly’s Authenticated Patient Portal?
The Meta Pixel is a small piece of code that websites place on their pages to track user behavior—what users click, which pages they visit, and when they take certain actions. Websites use this tracking primarily for advertising purposes, allowing them to build audience profiles and retarget users with ads on Meta platforms like Facebook and Instagram. When Duly installed the Meta Pixel on its patient portal, the code would execute every time a logged-in patient accessed the secure section of the website, capturing data about their interactions with health-related content. The allegation that makes this case significant is that Duly allegedly placed the pixel specifically on the *authenticated* portion of the website—the section requiring login credentials. This matters because the authenticated section contains far more sensitive information than a public website would have.
Patients accessing their health data expect reasonable privacy protections; the presence of third-party tracking code violates that expectation. Duly did not clearly disclose that Meta Pixel was capturing this data and transmitting it to Facebook’s parent company, Meta Platforms, Inc. Similar cases have been filed against other healthcare providers, including Arrowsmith Family Health centers and 30+ other organizations, following the same pattern of undisclosed pixel tracking on secured patient portals. The settlement does not reveal exactly how Duly came to implement the Meta Pixel or whether it was an intentional decision by leadership or an accidental deployment by a third-party vendor. This ambiguity is common in these settlements; defendants often settle without admitting specific intent or negligence, settling primarily to end litigation rather than concede the underlying facts.
Understanding the $1.88 Million Settlement Fund and Payout Structure
The $1.88 million settlement fund does not go entirely to class members; a portion covers administrative costs, legal fees, and settlement program expenses. The actual amount distributed to individual claimants depends on several factors: how many eligible class members file claims, whether claims are deemed valid and complete, and what percentage of the settlement fund the court allocates to the claimant pool versus administrative costs. Based on the estimated class size of 272,373 individuals, if nearly all eligible members filed claims, the per-person payout could range from $5 to $15, though this is speculative and depends entirely on claims filed and approved. one important limitation to understand: the settlement compensates people for the alleged data privacy violation, not for any actual financial loss or identity theft they suffered.
Even if a class member was never harmed by the Meta Pixel data transmission—no unauthorized ads were shown, no information was misused—they are still eligible for the pro-rata share of the settlement pool. This reflects the legal principle that privacy violations themselves constitute injury, regardless of whether tangible harm followed. However, because the deadline for filing claims has already passed (March 2, 2026), individuals can no longer submit claims to receive a payout. Only those who had already filed claims by that deadline will receive compensation from the fund. The settlement also requires Duly to implement certain changes to prevent similar tracking issues in the future, though the specific technological or policy modifications are not publicly detailed in available settlement documents.
Claim Deadlines and Where This Settlement Stands Today
The crucial claim filing deadline was March 2, 2026, which means this settlement window has already closed. Anyone who did not submit a claim by that date is ineligible to receive compensation from the settlement fund, even if they were a member of the class and met all eligibility requirements. This is a hard deadline; courts do not extend claim periods except in rare circumstances involving fraud or system failures that prevented timely filing. The implications are significant: patients who were unaware of the settlement, missed notices, or simply procrastinated on filing were effectively excluded from compensation. Alongside the claims deadline, the opt-out and objection deadline was also March 2, 2026. Class members who wished to pursue individual lawsuits against Duly or who wanted to voice their opposition to the settlement terms had until that date to take action.
Once the deadline passed, all remaining class members became bound by the settlement terms, even if they disagreed with them or preferred to pursue separate legal action. The final approval hearing occurred on April 7, 2026, at 10:00 A.M. CST, where the court heard final arguments and approval of the settlement was expected to be granted (final approval status is pending official documentation). For patients who missed these deadlines, the options are limited. They cannot join this particular settlement or pursue individual claims for the same allegations after the class action settles and receives final approval. However, they may still have private causes of action under state privacy laws or medical privacy statutes, though pursuing those independently would require hiring private counsel and navigating litigation on their own.
Who Qualifies as a Class Member and How to Verify Eligibility
Class membership in this settlement is straightforward but specific: any person who logged into the authenticated (login-required) portion of the Duly Health and Care website (www.dulyhealthandcare.com) at any point between July 24, 2020 and April 10, 2023 qualifies as a class member. This includes patients, caregivers, or anyone else with login credentials to access the secure portal. Simply visiting Duly’s public website (without logging in) does not qualify someone for the settlement; the tracking code and data transmission allegations specifically targeted authenticated users whose health data was more sensitive. To determine eligibility, individuals could check whether they had an active Duly patient account during the relevant time period. If they received any official communications from Duly—appointment reminders, test results, prescription notifications—between July 24, 2020 and April 10, 2023, they likely accessed the authenticated portal at some point.
Patients of multi-specialty physician groups or primary care clinics that use Duly’s patient management system would be the most obvious candidates for class membership. Duly’s patient portal primarily serves patients of participating healthcare providers, so only patients of those providers would have had authenticated access. One key limitation: class membership is not automatic just because someone was a Duly patient. They specifically needed to have logged into the authenticated portion of the website during the class period. Patients who preferred phone calls, in-person visits, or email communication without using the portal would not have been exposed to the Meta Pixel tracking and therefore wouldn’t have been part of the class action.
The Broader Privacy Implications of Undisclosed Health Data Tracking
This settlement highlights a critical gap in how many healthcare organizations protect patient privacy on digital platforms. While HIPAA and other healthcare privacy laws regulate the storage and sharing of patient data within the healthcare system, they have been slower to catch up with the reality of third-party tracking pixels embedded on healthcare websites. A tracking pixel is technically not a “disclosure” of protected health information to a third party in the traditional sense—no identifiable patient data is intentionally sent to Meta in a structured, obvious way. Instead, the pixel captures behavioral data and infers patient health status based on which pages are visited, what information is accessed, and when. This distinction matters legally and practically. Meta receives information about a user visiting a “patient portal,” accessing “prescription information,” or viewing “health history pages”—data points from which Meta can infer health conditions, medications, or medical concerns.
Meta can then use this inferred health profile for targeted advertising and audience segmentation. For a healthcare provider, the incentive to install such tracking is ostensibly innocent: they want to understand which parts of their website are most useful to patients or to retarget users on social media with appointment reminders. However, the risk to patient privacy is substantial and often not disclosed to patients. A warning for patients using other healthcare portals: this settlement should prompt individuals to review their own healthcare providers’ privacy notices and patient portal settings. Some providers allow patients to opt out of analytics tracking or limit data collection, though these options are not universally available. The Duly case illustrates that major healthcare organizations can unknowingly deploy or knowingly overlook tracking pixels on authenticated patient portals, emphasizing the need for patient vigilance and regulatory oversight.
Historical Context—Similar Settlements and a Growing Pattern
The Duly settlement is not an isolated case but part of a larger wave of litigation against healthcare organizations for similar tracking pixel violations. Arrowsmith Family Health Centers, for example, faced a class action for Meta Pixel tracking on its patient portal. Additionally, more than 30 other healthcare providers have been named in similar lawsuits alleging undisclosed Meta Pixel implementation on authenticated patient portals. These cases collectively suggest that the practice of deploying third-party tracking code on healthcare websites is more widespread than many patients realize.
The escalation of these lawsuits has prompted increased scrutiny from regulators and privacy advocates. Healthcare organizations are being forced to evaluate their website analytics practices more carefully and to consider whether the marketing insights they gain from third-party pixels justify the privacy risks and litigation costs. The $1.88 million settlement at Duly may seem modest in the context of a major healthcare organization’s budget, but the accumulating legal fees, management attention, and reputational damage across the industry’s multiple pixel-tracking lawsuits represent a significant business impact. This trend is likely to continue as patients and attorneys become more aware of the practice.
What Happens Next and What This Means for Healthcare Privacy
With the final approval hearing on April 7, 2026, the Duly settlement is expected to move toward its implementation phase, where claim processing occurs and payments are distributed to class members who filed timely claims. The settlement administrator will contact eligible claimants, verify their eligibility, process valid claims, and distribute settlement payments. This process typically takes several months, so class members who filed claims should expect payment distributions sometime in the coming months following final approval. Beyond the immediate settlement administration, the Duly case contributes to broader discussions about healthcare data privacy in the digital age.
Future regulatory action, whether from the Federal Trade Commission, state attorneys general, or healthcare regulators, may impose more stringent standards on the use of tracking pixels in healthcare settings. Healthcare providers that have not yet audited their website analytics and third-party integrations face growing pressure to do so. For patients, this settlement reinforces that privacy protection remains an individual responsibility; reviewing healthcare providers’ privacy practices and understanding what data is collected during digital interactions with health organizations is an important step in protecting personal health information. The settlement also demonstrates that class action litigation can serve as a check on privacy violations when regulatory oversight lags behind technology deployment.
Conclusion
The Duly Health and Care Meta Pixel Tracking Settlement represents a $1.88 million resolution to claims that the healthcare organization improperly transmitted patient portal data to Meta Platforms without patient consent. The settlement covers approximately 272,373 patients who logged into Duly’s secure patient portal between July 24, 2020 and April 10, 2023, with eligible class members receiving pro-rata payouts from the settlement fund. However, the claim filing deadline of March 2, 2026 has already passed, meaning only those who submitted timely claims will receive compensation.
For affected patients who missed the deadline, this settlement serves as a reminder of the importance of reviewing healthcare provider privacy practices and understanding what tracking technologies are embedded in patient-facing websites. Patients who filed claims before the deadline should expect payment distributions as the settlement moves through its final approval and administration phases. Healthcare organizations across the industry are facing similar lawsuits for identical practices, signaling a shift toward greater scrutiny of third-party data collection in healthcare digital environments. Going forward, patients should review the privacy policies of their healthcare providers’ online portals and consider whether their comfort level with data collection practices aligns with their personal privacy preferences, particularly as healthcare organizations continue to integrate analytics and advertising tools into patient-facing websites.