Kaiser's Tracking Pixels Sent 13 Million Patients' Data to Google for Seven Years

Seven Years of Silent Data Collection

Kaiser Permanente, one of America's largest healthcare providers, has agreed to pay up to $47.5 million to settle a class action lawsuit alleging that tracking pixels on its websites and mobile applications transmitted confidential patient information to third party technology companies without consent.

The lawsuit alleges that from November 2017 to May 2024, every time a Kaiser member logged in, searched for a doctor, or checked their medical claims, snippets of tracking code from Google Analytics, Meta Pixel, Microsoft, and Twitter quietly captured and transmitted that activity to advertising platforms.

Approximately 13.4 million current and former members across California, Colorado, Georgia, Hawaii, Maryland, Oregon, Virginia, Washington, and the District of Columbia are eligible for the settlement.

What the Tracking Code Captured

The tracking pixels embedded on Kaiser's authenticated pages collected far more than basic website analytics. According to the lawsuit, the data transmitted to tech companies included:

• Patient names and IP addresses
• Search terms entered on Kaiser's portal
• Medical history and health conditions
• Communications with healthcare professionals
• Device information and browsing patterns

This is not a case of hackers breaking in. Kaiser voluntarily placed these tracking scripts on its own platforms. The code worked exactly as designed by Google and Meta. It just happened to be sitting on pages where patients shared their most sensitive information.

A Pattern Across Healthcare

Kaiser is not alone. In 2025, Blue Shield of California disclosed that a Google Analytics tracking pixel had leaked 4.7 million patients' health data to Google Ads for nearly three years. The FTC has also taken enforcement actions against GoodRx and BetterHelp for similar tracking pixel violations.

The pattern is consistent. Healthcare organizations deploy the same advertising infrastructure used by retailers and media companies, often on authenticated pages where patients enter protected health information. When the tracking code transmits page URLs, search queries, and form data to Google or Meta, it takes patient data along with it.

A 2024 study found that tracking pixels were present on 98% of hospital websites, with the majority sending data to Google. Many of these implementations were on pages requiring patient login.

Why Compliance Failed

HIPAA requires healthcare entities to protect patient information, but the law was written before tracking pixels existed. The regulation does not explicitly address third party analytics tools embedded on healthcare websites, creating a gap that organizations have been slow to close.

In December 2022, the U.S. Department of Health and Human Services issued a bulletin warning that tracking technologies on healthcare websites could violate HIPAA. Yet many organizations continued using them, either unaware of the risk or unwilling to give up the analytics data they provided.

The Kaiser settlement signals that the legal costs of ignoring tracking pixel compliance are rising. At $46 million, it is one of the largest healthcare tracking pixel settlements to date. Organizations that have not yet audited their websites for third party tracking code now have a clear financial incentive to do so.

How to File a Claim

If you were a Kaiser Permanente member who accessed the organization's websites or mobile applications between November 2017 and May 2024, you may be eligible for a payment estimated between $20 and $40.

Key dates:

• Claims deadline: March 12, 2026
• Fairness hearing: May 7, 2026
• Settlement website: kaiserprivacysettlement.com

Eligible members should have received an email with a unique Settlement Class Member ID required to submit a claim.

The Same Technology Monitors Your Inbox

The tracking pixels that leaked Kaiser's patient data operate on the same principle as the spy pixels embedded in marketing emails. Both are invisible. Both transmit data without your knowledge. Both create behavioral profiles you never consented to.

When a marketing email loads in your inbox, a 1x1 transparent image pings the sender's server with your IP address, location, device type, and the exact time you opened the message. Over 85% of marketing emails contain these hidden trackers.

If a major healthcare provider can unknowingly funnel millions of patients' medical data to advertising platforms through tracking pixels, the same technology in your inbox deserves the same scrutiny.

Blocking tracking pixels wherever they appear, whether on healthcare websites or in your email, is the only reliable way to stop your data from ending up where it does not belong.