Utopia Tech
Healthcare4 min read

Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools

A recent analysis of healthcare websites has revealed that the majority use marketing and analytics tools that could potentially disclose sensitive data to third parties. The study was jointly conducted by Piwik PRO, a privacy-first web analytics platform provider, and Verified Data, an automated audit platform that helps organizations verify analytics accuracy, data quality, a

UT

Utopia Tech

July 10, 2026 · 4 min read

Share

A recent analysis of healthcare websites has revealed that the majority use marketing and analytics tools that could potentially disclose sensitive data to third parties. The study was jointly conducted by Piwik PRO, a privacy-first web analytics platform provider, and Verified Data, an automated audit platform that helps organizations verify analytics accuracy, data quality, and privacy compliance.

Healthcare organizations have faced increased scrutiny of their use of website tracking and analytics tools in recent years, after studies revealed these tools were being routinely used on healthcare websites, in some cases on authenticated pages, and were disclosing sensitive data to third parties. These tools collect and transmit information to third parties about website use, which may include protected health information – personally identifiable health information that HIPAA requires regulated entities to protect.

Major HIPAA breaches have been reported to the HHS’ Office for Civil Rights (OCR) related to these tools, including by Advocate Aurora Health, Kaiser Permanente, Novant Health, and Atrium Health. Patients are increasingly taking legal action over the use of these tools by healthcare providers. Over the past two years, dozens of lawsuits have resulted in settlements to resolve alleged privacy violations.

Piwik PRO reports that more than $100 million was paid out in settlements between 2023 and 2025 to resolve healthcare privacy violations due to tracking and analytics tools such as Meta Pixel, Google Analytics, and Microsoft Advertising code. The Piwik PRO/Verified Data study findings are published in the healthcare website tracking report, Are healthcare companies one audit away from a compliance crisis?

The study involved scans of 59 websites of major U. S. hospitals and clinics to assess tracking, consent, and data compliance.

The study did not investigate whether protected health information was being disclosed to third parties; rather, it looked for the presence of and behavior of tracking scripts, cookies, advertising pixels, and consent systems. Concerningly, almost three-quarters (73%) of scanned healthcare websites had active advertising or marketing trackers, even when the Global Privacy Control (GPC) opt-out signal was running.

GPC is a browser-based signal that communicates the user’s preference to opt out of the sale or sharing of their personal data to website operators. More than two-thirds of sites (69%) used marketing or advertising cookies, which strongly suggests that data is routed to third-party platforms. The narrow spread between the tracking figure and cookie figure suggests some trackers are likely operating without cookies, which means cookie blocking would not fully prevent exposure.

The researchers identified 75 unique tracking tools across the 59 scanned sites, including Google Analytics, Meta Pixel, Microsoft Advertising and session replay technologies. Over the years, The HIPAA Journal has observed improved education about HIPAA, with patients now having a much better understanding of what HIPAA protects, what it does not, and the rights HIPAA gives them.

Patients expect privacy when they visit their healthcare providers, and those expectations extend to their providers’ digital presence. When they visit a healthcare website and search for information about sensitive health matters, book appointments, or disclose their information in forms, they expect that information to be kept private and not be disclosed to third parties such as social media companies and advertising networks, yet these tools have been doing that for years.

“This isn’t a story about reckless marketers or bad intentions. Healthcare organizations often inherit their analytics setup rather than actively choose it. Google Analytics became the default for many because it was free, established, and widely understood.

The challenge today is scope creep. What began as website analytics has evolved into broader behavioral ad targeting platforms,” explained Magdalena Pawlitko, Head of Global Sales at Piwik PRO. “In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny of how data gathering tools are configured and governed.”

The problem for healthcare providers is that these tools provide important and useful features. While there are regulations governing the use of these tools, healthcare providers do not have to call a halt to their digital marketing campaigns, but they do need to assess their strategy and ensure that they have the right infrastructure in place to ensure compliance and protect patient privacy.

“Patients expect that their health-related behavior stays private when they visit a hospital website. “Meeting that expectation is entirely possible with the right setup – and organizations that get there aren’t just reducing their legal risk. They’re building something more valuable: a digital presence their patients can actually trust.

said Brian Clifton, founder of Verified Data and digital analytics and privacy expert. If not done so already, the researchers recommend that healthcare organizations conduct an audit of their current tracking setup, ensure that advertising pixels on web pages that are PHI-adjacent are removed, that they enforce opt-out signals at the tag management layer, replace non-compliant analytics with a purpose-built platform, and ensure they have compliant infrastructure in place.

In addition, the researchers recommend making compliance a standing requirement, rather than a one-off review, ensuring that all compliance-related decisions are fully documented. The post Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools appeared first on The HIPAA Journal .

Originally published at hipaajournal.com

Share
▸ Want a deeper look?

Talk to an architect about applying this to your stack.

60-minute technical evaluation, no obligation. We'll map the ideas in this article to your environment.

Skip to main content