Novartis is facing a class-action lawsuit alleging it shared, without patients’ consent, sensitive health information it collected from visitors to its consumer-facing branded drug websites.
The lawsuit was brought in U.S. District Court in New Jersey last week, with a breast cancer patient identified only as P.M. serving as lead plaintiff.
In the filing, the patient describes how, after being prescribed Novartis’ Kisqali, she began visiting the drug’s website in late 2024 to learn more about the breast cancer drug and enroll in a savings program. The patient claims that, without her consent, Novartis used “surreptitious tracking tools” such as cookies and pixels to collect personally identifiable information and sensitive health information she shared during visits to the site and passed it along to third parties, including Google and Contentsquare.
Such data can then be used for analyzing consumer behavior and “identifying new market segments to exploit,” per the lawsuit, as well as to personalize ads shown to a specific individual across the internet. Indeed, the plaintiff notes that after she visited the Kisqali website, she “began to see targeted online advertisements for products and services related to her medical condition.”
The lawsuit includes back-end screenshots from several of Novartis’ branded drug sites, allegedly showing information about a patient’s prescription, diagnosis, site visit activity and more is automatically shared with Google and Contentsquare.
The complaint repeatedly alleges that Novartis did not receive authorization from the plaintiff or other members of the class to share their personal and medical information with third parties.
The Kisqali website, for example, does currently include a clickable “Cookie Preference Center” menu stating that if a visitor clicks “Accept,” Novartis “will use optional cookies and similar technologies to collect and disclose your data for targeted ads, social media, and performance and analytics purposes”; declining or abstaining will still allow the tracking tools to collect and share data “for essential site functionality purposes.”
It’s unclear how visible or accessible that information was at the time of the plaintiff’s visits. She claimed that because Novartis did not give site visitors reason to believe it was part of the tracking tool providers’ “surveillance networks,” she and other patients “could not have been reasonably expected” to look over their privacy statements—while also noting that reviewing privacy policies for every single website visited is “practically impossible” for even the most diligent internet user.
According to the filing, as a result of Novartis’ alleged unauthorized data-sharing practices, the plaintiff and other similarly impacted U.S. patients, who could number at least 100,000, have experienced invasions of their medical privacy, emotional distress and a reduction in trust in their communications with medical providers, among other alleged injuries.
The class is suing Novartis on counts of invasion of privacy, negligence, unjust enrichment, violation of the federal Electronic Communications Privacy Act (ECPA) and breaches of confidence, fiduciary duty and implied contract. They’re seeking damages of an untold amount, though each ECPA violation alone could come with statutory damages of up to $10,000, per the filing.
Novartis did not immediately respond to Fierce Pharma Marketing’s request for comment.