Study Reveals 73% of Healthcare Websites Leak Data via Hidden Tracking Tools

A new study reveals that 73% of healthcare websites use marketing tracking tools that could expose sensitive patient data to third parties, raising serious HIPAA compliance concerns.

MRAdmin
By
4 Min Read

A new study jointly conducted by Piwik PRO and Verified Data has revealed that the vast majority of healthcare websites use marketing and analytics tracking tools that could potentially expose sensitive patient data to third parties, raising serious HIPAA compliance concerns.

Study Methodology and Key Findings

The study scanned 59 websites of major U.S. hospitals and clinics to assess tracking, consent, and data compliance practices. Researchers examined the presence and behavior of tracking scripts, cookies, advertising pixels, and consent systems across these healthcare domains.

Among the most alarming findings: nearly three-quarters (73%) of scanned healthcare websites had active advertising or marketing trackers even when the Global Privacy Control (GPC) opt-out signal was running. More than two-thirds of sites (69%) used marketing or advertising cookies, strongly suggesting that data is being routed to third-party platforms.

The researchers identified 75 unique tracking tools across the 59 scanned sites, including Google Analytics, Meta Pixel, Microsoft Advertising, and session replay technologies.

HIPAA Compliance and Patient Privacy Risks

Healthcare organizations have faced increased scrutiny over their use of website tracking and analytics tools in recent years. Earlier investigations revealed these tools were routinely collecting and transmitting information to third parties – in some cases from authenticated patient portal pages – potentially including protected health information (PHI).

Major HIPAA breaches have been reported to the HHS Office for Civil Rights (OCR) related to these tools, including incidents at Advocate Aurora Health, Kaiser Permanente, Novant Health, and Atrium Health. According to Piwik PRO, more than $100 million was paid out in settlements between 2023 and 2025 to resolve healthcare privacy violations due to tracking tools such as Meta Pixel, Google Analytics, and Microsoft Advertising code.

Patients are increasingly taking legal action over the use of these tools by healthcare providers. Dozens of lawsuits filed over the past two years have resulted in significant settlements to resolve alleged privacy violations.

Expert Analysis

“This isn’t a story about reckless marketers or bad intentions. Healthcare organizations often inherit their analytics setup rather than actively choose it,” explained Magdalena Pawlitko, Head of Global Sales at Piwik PRO. “What began as website analytics has evolved into broader behavioral ad targeting platforms. In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny.”

Brian Clifton, founder of Verified Data, added: “Patients expect that their health-related behavior stays private when they visit a hospital website. Meeting that expectation is entirely possible with the right setup – and organizations that get there aren’t just reducing their legal risk. They’re building something more valuable: a digital presence their patients can actually trust.”

Recommendations for Healthcare Organizations

The researchers recommend that healthcare organizations take the following steps to address compliance risks:

  • Conduct a comprehensive audit of their current tracking setup
  • Remove advertising pixels from web pages that are PHI-adjacent
  • Enforce opt-out signals at the tag management layer
  • Replace non-compliant analytics with purpose-built platforms designed for regulated industries
  • Make compliance a standing requirement rather than a one-off review
  • Document all compliance-related decisions thoroughly
Share This Article
Leave a Comment

Leave a Reply

Your email address will not be published. Required fields are marked *