Hospitals Tracked Patients With the Same Pixel That Reads Your Email—They Have Paid $100 Million So Far

Your Hospital Visit Was Not Private

When you log into your hospital's patient portal, you expect that visit to stay between you and your doctor. You are checking lab results, messaging a specialist, or scheduling a procedure. Courts across the country are now confirming that for millions of patients, those interactions were quietly relayed to Facebook and Google.

The mechanism was a tracking pixel. The same invisible, one pixel image that marketers embed in emails to know when you open them was also sitting on hospital login pages, appointment schedulers, and patient portals. Every time a patient loaded the page, the pixel fired a request to Meta or Google's servers, carrying data about what the patient was doing and who they were.

Since 2023, healthcare organizations have paid more than $100 million in settlements to resolve lawsuits over this practice. And the wave is not slowing down.

Sutter Health: $21.5 Million for Pixel Tracking on a Patient Portal

In February 2026, a court granted final approval to a $21.5 million settlement against Sutter Health, one of California's largest healthcare systems. The lawsuit alleged that Sutter embedded Google Analytics, the Meta pixel, and other advertising tools on its MyHealthOnline patient portal. When patients logged in to view lab results or schedule appointments, the tracking code transmitted their activity to third parties without authorization.

The class covers anyone who was a California resident and logged into MyHealthOnline between June 2015 and March 2020. Eligible patients can claim up to $90 each, with claims open until May 5, 2026. The legal basis drew on three California statutes: the Invasion of Privacy Act, the Unfair Competition Law, and the Confidentiality of Medical Information Act.

Sutter did not admit wrongdoing.

Inova Health: $3.1 Million for the Same Practice

Inova Health Care Services, a major Virginia healthcare provider, agreed to a $3.1 million settlement over tracking pixel use on its public facing websites and MyChart patient portal. The lawsuit alleged that Meta and Google received patient data through pixel trackers embedded on Inova's pages between April 2022 and April 2024, violating the Electronic Communications Privacy Act and HIPAA.

The settlement was granted final approval in April 2026. Class members received a one time cash payment from the settlement fund.

At Least 19 Hospitals Have Settled Since 2023

Sutter and Inova are not outliers. Researchers identified the Meta Pixel on the patient portals of at least 33 major health systems, and a consolidated analysis of tracking pixel cases from 2023 to 2025 found settlements and penalties totaling more than $100 million across 19 cases.

The largest settlements include:

• GoodRx: $25 million class action plus a $1.5 million FTC fine for sharing prescription data
• Mass General Brigham: $18.4 million for cookie and pixel violations
• Aspen Dental: $18.5 million for Meta and Google tracker use without consent
• Advocate Aurora Health: $12.25 million after exposing 3 million patients via Meta Pixel
• BetterHelp: $7.8 million for sharing mental health data through tracking tools
• Cerebral: $7 million for sharing 3.2 million users' health data
• Novant Health: $6.66 million
• DaVita: $3.8 million

A federal judge also ordered Mark Zuckerberg to sit for a deposition in the consolidated Meta Pixel Healthcare Litigation, which alleges that Meta knowingly collected protected health information through its tracking pixel.

How the Tracking Worked

The Meta Pixel is a small snippet of JavaScript that website operators add to their pages. When a visitor loads a page with the pixel, it sends a request to Meta's servers containing the page URL, the visitor's IP address, browser information, and any custom data the site operator configured. Google Analytics works similarly, collecting page views, session data, and user identifiers.

On a retail website, this is standard web analytics. On a hospital patient portal, the page URL might contain a department name, a doctor's specialty, or an appointment type. Combined with a Facebook or Google login cookie already in the browser, that data could be matched to a real person. The lawsuits allege this happened without patients' knowledge or consent, and without the Business Associate Agreements that HIPAA requires before sharing protected health information with third parties.

The same core technology powers email tracking pixels. When a company sends you a marketing email, an invisible image loads from their server the moment you open it, revealing your IP address, device type, and the exact time you read it. The pixel on a hospital website and the pixel in your inbox share the same DNA: a silent request to a remote server that reveals more about you than you agreed to share.

What Data Was Shared

Across the lawsuits, the types of patient data transmitted through tracking pixels included:

• Patient portal login activity and session data
• Pages visited within the portal, including department and specialty pages
• Appointment scheduling information
• IP addresses and device fingerprints
• Prescription and medication data (in the GoodRx and Cerebral cases)
• Mental health treatment information (in the BetterHelp case)

In several cases, this data was paired with existing Facebook or Google profiles, meaning the tech companies could theoretically link a patient's medical portal activity to their social media identity. None of the hospitals had signed the Business Associate Agreements that HIPAA requires before sharing health data with third party vendors.

Why This Matters Beyond Hospitals

These settlements confirm what privacy advocates have argued for years: tracking pixels collect more data than most people realize, and the organizations deploying them often have no idea what information they are leaking. If 33 major hospital systems failed to notice that their patient portals were transmitting health data to advertising companies, the same blind spot exists everywhere tracking pixels are used.

The technology is identical in your inbox. Every marketing email, newsletter, and promotional message can contain a tracking pixel that fires when you open it. It reports your IP address, your device, your location, and the exact timestamp. Unlike a hospital, which at least has HIPAA obligations, the company emailing you has almost no legal restriction on what it does with that data. Courts have started treating website tracking pixels as illegal wiretaps under California's CIPA law, but email pixels remain largely unregulated in the United States.

If hospitals owed patients $100 million for pixel tracking on websites, the scale of pixel tracking in email dwarfs it. An estimated 70% of marketing emails contain at least one tracking pixel, and most recipients never know it is there.

How to Check If You Are Eligible

If you used a patient portal at any of the hospitals listed above during the relevant class periods, you may be entitled to a settlement payment. The two currently active settlements:

• Sutter Health: California residents who logged into MyHealthOnline between June 2015 and March 2020. Claims open until May 5, 2026. Payout up to $90.
• Inova Health: Anyone with an Inova MyChart account who visited Inova websites between April 2022 and April 2024. Final approval granted April 2026.

Additional settlements from Advocate Aurora, Mass General Brigham, and others may still have open claims or upcoming distribution dates. Check the settlement administrator websites for each case to verify eligibility and deadlines.

How to Stop Pixel Tracking in Your Email

While you cannot retroactively stop hospitals from sharing your data, you can block the same tracking technology where it is most pervasive: your inbox. Email tracking pixels work by loading a remote image when you open a message. Blocking that image request prevents the sender from knowing you opened the email.

Gblock is a browser extension that detects and blocks tracking pixels in Gmail. It identifies spy pixels embedded in emails before they can fire, preventing senders from collecting your IP address, location, device information, and read timestamps. The same pixel technology that cost hospitals $100 million is in your inbox right now.

• Blocks tracking pixels from loading in Gmail
• Shows you which emails contained hidden trackers
• Works silently in the background without changing your email workflow
• No data leaves your browser