1.2 Million Patients' Medical Records Were Sent to Meta and Google Through a Tracking Pixel

Every Login Was Watched

Every time a Legacy Health patient logged into their portal, Meta and Google were watching. Page visits, clicks, timestamps, medical record access patterns: all of it streamed silently to two of the world's largest advertising companies through invisible tracking pixels embedded in the hospital's website.

Legacy Health, an Oregon based nonprofit hospital system, has agreed to pay $2.2 million to settle a class action lawsuit over the embedded trackers. But this is not an isolated incident. It is the latest entry in a growing ledger of healthcare tracking pixel violations that has surpassed $100 million in penalties, and it comes at a time when one in three hospital websites still runs the same code that triggered these lawsuits.

What Legacy Health Did

Between 2019 and 2024, Legacy Health deployed Meta Pixel and Google Analytics tracking code on its patient facing portal. These tools, designed to help marketers measure ad campaign performance, were instead running on pages where patients logged into their medical records.

The Meta Pixel operates by firing a small piece of JavaScript code when a page loads. It captures the URL, referrer, device information, and any data passed through the page's form fields. On a retail site, that might mean a product you viewed. On a patient portal, it meant which pages patients visited, what they clicked, and when they accessed their medical records.

According to the lawsuit, this data flowed directly to Meta Platforms (Facebook) and Alphabet (Google) without patient knowledge or consent. No HIPAA authorization was obtained. No opt out was offered.

Who Is Affected

The settlement covers approximately 1,234,702 patients in two groups:

• Patients who registered for a portal account between February 18, 2019 and December 31, 2020
• Patients who logged into the portal between January 1, 2021 and February 9, 2024

Class members can claim a $15 cash payment and receive one free year of medical identity protection service, including dark web monitoring and $1 million in identity theft insurance. The claim deadline is March 16, 2026.

The $100 Million Problem Hospitals Will Not Fix

Legacy Health is not an outlier. Since 2023, at least 19 healthcare organizations have faced penalties for tracking pixel violations, with combined fines and settlements exceeding $100 million:

• Kaiser Permanente: $46 million (13 million patients)
• GoodRx: $25 million (FTC enforcement)
• Mass General Brigham: $18.4 million
• Advocate Aurora Health: $12.25 million
• BetterHelp: $7.8 million
• Cerebral: $7 million

The Meta Pixel Healthcare Litigation, a multidistrict federal case consolidating dozens of claims, even forced Meta CEO Mark Zuckerberg to sit for a limited deposition about whether Meta knowingly collected protected health information from hospital websites.

One in Three Hospitals Still Run These Trackers

Despite more than two years of lawsuits, HHS Office for Civil Rights guidance, and nine figure penalties, roughly one third of healthcare websites still use Meta Pixel tracking code. Research published in the National Institutes of Health found that hospital websites routinely share patient data with advertising platforms through these embedded scripts.

The persistence of the problem stems from how web development works in practice. Marketing teams deploy tracking pixels to measure ad performance and website engagement. These same pixels fire on every page of a site, including authenticated patient portals, appointment schedulers, and health record access pages. Most hospitals do not have the technical controls to segment tracking code by page type.

What Compliance Teams Should Do Now

For healthcare compliance officers, the message is clear: if your website runs third party tracking scripts, assume you have a problem until you prove otherwise.

• Scan every page for Meta Pixel, Google Analytics, TikTok Pixel, and any other third party tracking scripts
• Map data flows from patient facing pages to understand exactly what information is transmitted to external parties
• Remove tracking code from all authenticated pages, patient portals, appointment scheduling, and condition specific content
• Implement consent management platforms that comply with both HIPAA and state privacy laws
• Document everything because regulators and plaintiffs' attorneys will ask for evidence of reasonable compliance efforts

The Same Technology Monitors Your Inbox

The tracking pixels that leaked Legacy Health's patient data operate on the same principle as the spy pixels embedded in marketing emails. Both are invisible. Both transmit data without your knowledge. Both create behavioral profiles you never consented to.

When a marketing email loads in your inbox, a 1x1 transparent image pings the sender's server with your IP address, location, device type, and the exact time you opened the message. If a major healthcare provider can unknowingly funnel millions of patients' medical data to advertising platforms through tracking pixels, the same technology in your inbox deserves the same scrutiny.

Blocking tracking pixels wherever they appear, whether on healthcare websites or in your email, is the only reliable way to stop your data from ending up where it does not belong.