Tracking pixels that were standard infrastructure five years ago have become one of the most expensive technology choices in recent healthcare history. The question worth asking is not whether your practice could be next, but why so few practices have looked.
Between 2022 and 2025, the healthcare industry quietly became the most active battleground in U.S. data privacy litigation. The catalyst was not a single regulatory action or a coordinated enforcement push. It was a wave of class-action lawsuits, filed in courts across the country, that targeted health systems, hospitals, and medical practices for the way their websites handled visitor data.
The legal theory was straightforward. Defendants had installed tracking pixels — Meta Pixel, Google Analytics, Google Ads conversion tags, and similar tools — on their websites and patient portals. Those pixels transmitted data to third-party platforms that did not have Business Associate Agreements in place. The plaintiffs argued that the transmissions constituted unauthorized disclosures of protected health information.
The argument worked. Settlements in the eight-figure range became routine. By the time most practice owners noticed the trend, hundreds of cases had been filed and well over a hundred million dollars in aggregate settlements had been disclosed.
How the Cases Got Built
The mechanics of the litigation are worth understanding because they explain why so many organizations were exposed without realizing it.
Most cases originated with investigative reporting and academic research showing that healthcare websites were transmitting visitor data to advertising platforms in ways that, combined with the healthcare context, constituted PHI. The investigations were not particularly sophisticated. They involved researchers loading healthcare websites in browsers with network inspection tools active, and observing what data was being sent where.
Once that data was public, plaintiffs’ attorneys built class actions on top of it. The theory of the case was simple to communicate to a jury. A patient visited a hospital website to research a condition. The hospital’s pixel sent the patient’s IP address, the URL of the condition page, and sometimes more granular data to a platform that used the information for advertising purposes. The patient never knew. The hospital had not obtained authorization. The platform was not under a BAA. Therefore, the patient’s PHI had been disclosed without consent.
Defendants raised numerous defenses. Most of them did not hold up well in front of juries or in pretrial rulings, and the settlement pressure built quickly.
The Regulatory Backdrop
The litigation accelerated in parallel with regulatory guidance from the Department of Health and Human Services that made the underlying interpretation explicit.
In late 2022, HHS issued a bulletin clarifying that PHI included data transmitted through tracking technologies on healthcare websites and patient portals when that data could reasonably be combined with health-related context. The bulletin was reaffirmed and elaborated in 2023, and although portions of it were challenged in court, the core interpretation remained in force.
That guidance changed the litigation environment in two ways. It made plaintiffs’ theory more defensible because it now had explicit regulatory support. And it created a parallel risk of enforcement action by the Office for Civil Rights — the agency that enforces HIPAA — independent of any private lawsuit.
Practices that were already exposed through their pixel configurations became exposed on two fronts simultaneously. The litigation track and the regulatory track, each capable of producing significant financial consequence.
Why So Many Practices Were Caught
The most striking feature of the wave was how widespread the underlying configuration was. Health systems with substantial compliance budgets, multi-state hospital networks, and well-known regional medical brands were among the defendants. The reason has less to do with negligence than with the structural mismatch between standard marketing infrastructure and healthcare-specific compliance requirements.
Marketing pixels are installed by marketing teams or marketing agencies. Those teams typically do not have HIPAA expertise. Compliance teams, when they exist, focus on EHR access, claims data, business associate management of clinical vendors, and patient records. Marketing infrastructure historically did not appear on compliance audits because nobody thought of marketing as a HIPAA surface area.
By the time the regulatory and litigation environment caught up, almost every healthcare website in the country had been running standard pixel infrastructure for years. The exposure was the default state of the industry, not an exception within it.
What This Means for Smaller Practices
A reasonable response from a small medical practice owner reading the case history is that the headlines have been about large health systems and hospital networks. The relevance to a single-location orthopedic group or a five-location med spa platform may not be obvious.
It is worth being direct about this. The legal theory does not distinguish by size. The same configuration that exposed a hospital system to a class action exposes a small practice to the same theory. The reason small practices have not been the primary targets is economic — class action plaintiffs’ attorneys go after defendants whose settlements will be large enough to justify the work. That economic dynamic does not protect small practices indefinitely.
Three trends are shifting smaller practices into the line of fire. First, plaintiffs’ firms have started aggregating multiple smaller defendants into broader cases. Second, individual lawsuits — as opposed to class actions — have become more common, and individual claims are economically viable against smaller practices. Third, state-level data privacy regulators have begun pursuing healthcare cases as well, and state actions often target smaller defendants that federal regulators would not.
The size shield is eroding. Practices that have been comforted by the fact that they are not in the headlines should not extrapolate that comfort into the next several years.
What Defendants Have Done in Response
Organizations that have been through this process have, almost without exception, made structural changes to their marketing infrastructure. The changes follow a recognizable pattern.
Client-side pixels on sensitive pages have been removed or substantially reconfigured. Server-side conversion tracking, where data is processed in a controlled environment before any selective transmission to ad platforms, has become the default architecture for paid advertising. Analytics tools have been audited, with non-compliant tools removed or restricted to non-healthcare contexts. Patient portal pages have been segregated entirely from any marketing technology, often through technical architecture changes that prevent marketing scripts from loading on those pages.
None of this is exotic. All of it requires intention and a willingness to accept some loss of measurement granularity in exchange for materially reduced risk.
The Decision Worth Making Now
Practices that have not yet been touched by this wave have something the defendants did not have: the chance to make changes before there is a complaint to respond to.
Making changes proactively is meaningfully easier than making them under litigation pressure. There is no urgency-driven decision-making. There is no opposing counsel scrutinizing the process. There is the ordinary work of auditing the current state, deciding the appropriate target state, and executing the change.
Making changes reactively is more expensive in almost every dimension. The legal costs are direct. The technical work happens under deadlines. The agency relationships involved often deteriorate. And in many cases, the underlying liability cannot be retroactively cured — the data was already transmitted, regardless of what gets fixed going forward.
The proactive path is the cheaper one and the cleaner one. The reactive path tends to find practices that did not take the proactive one.
