Ignorance Is No Longer an Excuse: A Timeline of Events Around Tracking Technologies in Healthcare
In the Latin language of the law, there’s a phrase:
Ignorantia juris non excusat
“Ignorance of the law is no excuse.” The idea is that just because you don’t know that it’s, e.g. wrong to share medical information about patients or users doesn’t mean you’ll get away with it. Your ignorance is no excuse.
But, since HIPAA and tracking technologies have co-existed for years (the HIPAA Privacy Rule was initially written in 2001; Google Analytics launched in 2005; Facebook Pixel launched in 2015), ignorance does seem to have been an excuse. Healthcare companies and providers used these technologies and shared sensitive information with these companies against the HIPAA guidelines.
But in 2022, that started to change. In that year alone, we saw:
- Lawsuits targeting healthcare providers and tracking companies for non-HIPAA compliance
- Journalists investigating compliance violations
- HHS updated its guidance to clarify what isn't allowed when it comes to tracking tools
Even if it was once an excuse, Ignorantia can no longer exist. The suits, the stories, and the guidance are all now in front of you and clear–stop using native tracking technology if you are a healthcare provider or company.
Here’s a breakdown of the events over the past few years that have led to this new, privacy-concious world:
Diving In: A deeper look at fines, lawsuits, and more
As lawsuits and investigations began piling up, it became clear that organizations could no longer ignore the potential risks associated with tracking technologies. Each major case, fine, and updated guidance added new layers of clarity—and urgency—for healthcare providers and tech companies alike.
January 2022 - Mass General settles “Cookies without consent” $18.4M
Link: story
The year started with news of an $18.4 million settlement in a class action lawsuit against Mass General Brigham for “the use of cookies, pixels, website analytics tools, and associated technologies on several websites without first obtaining the consent of website visitors.”
Mass General denied that any protected health information was shared, and this wasn’t a strict HIPAA-led lawsuit. Instead, the plaintiffs were suing based on a general invasion of privacy. But the large settlement showed how seriously courts were starting to take online privacy around tracking, particularly in relation to medical privacy.
June 2022 - Investigation by The Markup
Link: story
A critical juncture in understanding the scope of this problem was the release in June 2022 of The Markup’s investigation into how hospitals were tracking online visitors to their websites.
The Markup investigated the top 100 hospitals in the U.S. and searched for the Facebook Pixel on their websites. They discovered tracking technology on the appointment scheduling pages of 33 hospitals, meaning these hospitals were sending data about appointments—such as dates and providers (PHI)—to Facebook, along with users' IP addresses (an individual identifier). This is a clear violation of HIPAA's privacy rule.
Even more concerning, tracking snippets were found on password-protected pages of seven hospitals, indicating that these sites might have sent all medical information about visitors to Meta servers. The impact of this investigation was significant, leading to multiple lawsuits against Meta (Facebook's parent company) and the involved healthcare providers in the months that followed.
July 2022 - Class action lawsuits against Meta
Link: story
Two lawsuits were immediately filed against Meta and two health systems.
The first lawsuit also dragged in the health systems involved, the University of California San Francisco and Dignity Health. In this lawsuit, a patient claims that the Meta Pixel tool on the UCSF and Dignity Health patient portals sent her medical information to Facebook. As a result, she received ads from pharmaceutical companies specifically targeting her heart and knee issues. This is retargeting.
Retargeting is a core function of Facebook, where Facebook will serve you ads depending on how you’ve interacted with a previous page. It suggests UCSF and Dignity Health shared PHI about the patient’s health and knee problems from their sites to Facebook in order for Facebook to know to show a related ad. Retargeting at this specificity definitely suggests a HIPAA violation.
In the second lawsuit, a patient using the MedStar Health System in Baltimore, Maryland, sued Meta saying that when she logged on, the Pixel sent her information to Facebook, including the URL of the previous page she had been on about breast health. Page URL is a PHI identifier in the HIPAA guidelines, and even though at that point the patient wasn’t logged in, this can still be classed as a violation as Medstar sent both this page information about breast health and the patient’s IP address to Facebook.
August 2022 - Northwestern lawsuit
Link: story
One month later, a federal lawsuit was filed in Illinois against Northwestern Memorial Hospital and Meta for sharing PHI.
The plaintiff found out that his medical information had been shared through The Markup’s investigation and sued for $5 million in damages because he alleged his medical information had been sold for profit. He was seeking:
- The $5 million damages
- Class-action status
- An order for Northwestern to remove any code that may jeopardize patient data.
November 2022 -WakeMed, Advocate Aurora, Duke, Northwestern class action lawsuit
Link: story
November brought two more class-action lawsuits against healthcare systems.
Advocate Aurora Health is a healthcare system concentrated in the Midwest. They had been using Facebook to retarget ads based on medical tests the users had taken or the procedures they had. The PHI of up to 3 million patients had been sent to Facebook.
Advocate Aurora Health is a good example that the intent doesn’t matter. Advocate said that the reason they were using tracking and targeting their patients was to improve the UX of the site and remind patients about preventative care.
WakeMed had fewer patients exposed, around 495,000. Like with many of the sites in The Markups investigation, WakeMed’s appointment page had a Facebook Pixel tracking form data. This data was shared with Meta and, the lawsuit alleges, WakeMed made money from the data sharing.
December 2022 - HHS updates tracking technology guidance
Link: guidance
Rounding off the year, HHS updated their guidance on using tracking technologies given all the lawsuits building. The idea here was to be more definitive about what was and wasn’t allowed regarding tracking technologies and HIPAA compliance. Specifically,
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.”
“Impermissible disclosures of PHI to tracking technology vendors” is everything that had already been litigated that year and had been flagged in The Markup’s investigation. The point of this guidance was to make clear two things:
- That PHI can be anywhere on your site, not just within a patient portal. If you are tracking a public page or an appointment page, those too can include PHI.
- Tracking within a patient portal is absolutely forbidden, no matter the intent.
You can read more about this HHS guidance here.
February 2023 - FTC fines GoodRx $1.5M
Link: press release
Come the start of this year, the news switched away from just healthcare systems to the wider problem of healthcare technology. If you are dealing with any medical information about a patient, user, or visitor, you have to follow the HIPAA guidelines.
The FTC fined GoodRx $1.5 million for “deceptively” sharing information with Facebook and other providers and “cash[ing] in on consumers' extremely sensitive and personally identifiable health information.” It was serving ads to customers based on their use of GoodRx.
GoodRx also got its wrists slapped for misrepresenting its HIPAA Compliance:
“GoodRx displayed a seal at the bottom of its telehealth services homepage falsely suggesting to consumers that it complied with the Health Insurance Portability and Accountability Act of 1996 (HIPAA), a law that sets forth privacy and information security protections for health data.”
February 2023 - Cedars-Sinai Medicine class action lawsuit
Link: story
February brought another Markup-related lawsuit, this one against Cedars-Sinai Medicine for using tracking technologies on its website, where it had encouraged users to go, research, find doctors, and book appointments–all data it was then sending on to the tracking vendors, such as Facebook and Google.
The plaintiff in this case saw more health-related ads on Facebook after he had used the Cedars-Sinai website, and saw specific ads for the medical condition he disclosed on that site.
A difference between this lawsuit the others from 2022 is that Facebook isn’t a defendant in this case–it’s purely related to the healthcare system and its mistakes.
March 2023 - FTC fines BetterHelp $7.8M
Link: press release
This brings us to yet another fine for a healthtech company: the FTC fined BetterHelp $7.8 million for a breach of trust similar to that of GoodRx.
Like with GoodRx, BetterHelp had told the users multiple times that all data was confidential and nothing was to be shared with a third party.
But BetterHelp went ahead and retargeted ads to visitors to its site and app using sensitive information they had shared about their mental health. So, people who wanted mental health help from BetterHelp saw their problems splashed across ads after they had reached out.
May 2023 - FTC fines Premom $100K and bars them from sharing data with Google
Link: press release
Premom violated the FTC's Health Breach Notification Rule by sharing sensitive health data to AppsFlyer and Google and failing to notify users. This one is a little bit different because it's not a HIPAA violation, but it is still a health information violation, which is controlled by the FTC.
The FTC's settlement with Premom requires the company to stop sharing personal health data with third parties, obtain consent before sharing any health data for any other purpose, and pay a fine of $100,000.
July 2023 - FTC and HHS issue a joint warning about the security risks from web tracking tools
Link: press release
The FTC and the HHS sent a letter to 130 healthcare organizations alerting them that they might be at risk of violating HIPAA for using common web trackers like Meta’s advertising pixel and Google’s analytics platform.
The big takeaway is that this letter isn’t just a warning; it’s more of an ultimatum. The letter essentially said to these 130 healthcare orgs, “Stop sharing PHI with third-party platforms or face serious consequences.”
Read more: Cut the Jargon: A Look at the FTC-HHS Privacy Warning and What It Means For Your Healthcare Org
November 2023 - AHA files a lawsuit against HHS
Link: story
The American Hospital Association (AHA) filed a federal lawsuit calling on the courts to bar enforcement of HHS’s policy, taking aim at the “Proscribed Combination.” They argued that an individual’s IP address combined with a visit to a specific web page isn’t sufficient to constitute PHI.
December 2023 - New York-Presbyterian Hospital fined $300k
Link: press release
The Office of the Attorney General found NY Presbyterian Hospital violated HIPAA because of how it was using advertising tools on its website, Those tools, from Meta, Google, and others, were collecting PHI without authorization.
As a result of the settlement, NYP had to pay $300k, change its advertising policies, and maintain enhanced privacy safeguards and controls.
March 2024 - HHS approves CDPs like Freshpaint
Link: updated guidance
HHS updated its guidance to call out Customer Data Platforms, like Freshpaint, as viable alternatives to web tracking technologies that don’t support Business Associate Agreements (BAAs).
Read more: HHS Approves Tools Like Freshpaint In Latest Guidance Update
April 2024 - Kaiser Permanente reports data breach impacting 13.4M members
Link: story
Kaiser Permanente notified 13.4 million members of an April data breach involving tracking tools that may have shared patient information with advertisers like Microsoft and Google.
April 2024 - FTC fines Cerebral $7M
Link: press release
Cerebral was fined by the FTC for security and privacy violations from 2019 to 2023, including sharing sensitive health information of over 3 million users with platforms like TikTok and Meta.
Read more: Beyond the Fine: What the FTC’s Crackdown on Cerebral Really Means for Healthcare Marketers
June 2024 - A Texas judge vacates a narrow part of HHS’s guidance
Link: story
U.S. District Judge Mark Pittman ruled that HHS overreached with its December 2022 guidance on HIPAA's "Proscribed Combination." However, he did not alter other aspects of HIPAA guidance, making this a narrow decision rather than a broad rollback of HIPAA rules on publicly accessible sites.
October 2024 - Lawsuits filed against LinkedIn, Meta, and Spring Fertility
Link: story
LinkedIn faces class action lawsuits alleging it intercepted users' medical information through tracking tools on healthcare sites. Meta and Spring Fertility are co-defendants, with the lawsuits demanding damages and policy changes.
What will 2025 bring?
There can be no excuse now. If you are still using native tracking technology on your healthcare site, you are probably violating HIPAA. Stop now. If you are doing so and lying about it in your privacy policies, you are going to get fined millions of dollars.
More stories like this will come out as a) the clean-up from people not understanding the ramifications continues, and b) people continue to make the same mistakes. Don’t let that be you.
Learn how Columbus Regional Health successfully navigated through all of these warnings and lawsuits by watching the video below:
