A Rutgers Study of 1,201 Hospitals Found That Putting a Facebook or Google Tracking Pixel on Your Site Makes a Breach 46% More Likely—And 66% of US Hospitals Still Do It

What the Study Actually Measured

On May 15, 2026, researchers at Rutgers Business School-Newark published a paper in PNAS Nexus titled "Beyond the click: Pixel tracking technologies and patient data security in hospitals." Lead author Hilal Atasoy, with doctoral candidate Maria Zhang and Assistant Professor Ryan McDonough, pulled twelve years of website data from 1,201 American hospitals. They cross referenced that data with the HHS Office for Civil Rights breach portal, which logs every healthcare data breach affecting 500 or more individuals.

The headline finding is the kind of number that ends arguments. Hospitals that embedded third party tracking pixels on their websites were 46% more likely to experience a data breach than hospitals that did not. Sixty six percent of the hospitals in the sample used third party pixels at some point during the study window. The breach association was strongest for "unintended disclosure"—the breach category where patient data leaks not through a hack but through a vendor relationship the hospital authorized in writing.

How a Pixel Becomes a Breach

A tracking pixel is a one by one image embedded in a webpage—or, in the email tracking case, an HTML email—that loads from a third party server. The act of loading the image transmits everything the browser would normally send in a request: the user's IP address, browser fingerprint, the page they were on when the pixel fired, and a cookie that links the visit to other visits across other sites.

For a hospital, that means a patient researching colorectal cancer symptoms transmits, to Meta or Google, the URL of the page they were on. The URL contains the condition name. The IP address ties to an internet account. The cookie ties to a Facebook profile or a Google account. The HHS Office for Civil Rights ruled in December 2022 that IP addresses tied to health related browsing constitute Protected Health Information under HIPAA. The hospital is now the source of a HIPAA violation it did not realize it was committing.

Atasoy's team did not stop at correlation. They measured the same hospitals before and after they deployed tracking pixels. The breach rate jumped. They measured hospitals that built their own analytics in house, which never transmit data to third parties. The breach rate did not jump. That is what the 46% number measures: the additional breach risk attributable to the choice of vendor pixels over first party analytics.

The Receipts: Advocate Aurora, Community Health Network

Two breaches the paper highlights show the mechanism in operation. Advocate Aurora Health in 2022 disclosed that its tracking pixels had transmitted data on three million patients to Meta. The pixels were on the patient portal—the page where patients log in to view test results, message their doctor, and schedule appointments. Community Health Network in 2023 disclosed an identical pattern. 1.5 million patients. Same vendors. Same mechanism.

Neither hospital was hacked. There was no intrusion to remediate, no credential to rotate, no malware to clean off a server. The breach was the website itself, working exactly as the marketing team had configured it. The pixels did their job perfectly. The job was to transmit patient data to advertising platforms.

By April 2026, hospital tracking pixel class actions had already produced $100 million in settlements across providers like Inova ($3.1 million), Sutter Health ($21.5 million), and Reid Health. The Rutgers paper provides the empirical backbone plaintiffs' attorneys now cite to show that hospitals knew or should have known the risk.

Why 66% Still Do It

The Rutgers paper does not just measure risk. It explains why the practice has not changed despite years of public warnings. The reasons are operational:

• Tracking pixels from Google, Meta, and the major ad networks are free at the point of installation. Building in house analytics requires engineering staff that most hospitals do not have
• The marketing teams that configure the pixels do not coordinate with the legal teams that interpret HIPAA, and neither coordinates with the IT security teams that respond to breaches
• The Office for Civil Rights, despite issuing warning letters to 130 hospitals in 2023, has issued few enforcement fines large enough to change the cost calculation. Settlements have eaten into the savings, but the cost of installing the pixel is still less than the expected cost of getting sued
• Most hospital websites have never been audited by their compliance team for third party trackers. The marketing department added the tag through Google Tag Manager. Nobody in compliance even knows it is there

The Rutgers team's recommendation is unambiguous and, in their words, "limited to the largest and richest hospital systems": build first party analytics, host them yourself, and never let a third party tag fire on any page that touches patient data. For the other 1,000 hospitals in their sample, the cost barrier is the reason 66% remains 66%.

The Email Tracking Parallel

The same mechanism that put Advocate Aurora's three million patient records into Meta's ad targeting graph is the mechanism that fires every time a marketing email is opened. A one by one image, hosted on a third party server, loads when the email is rendered. The act of loading transmits the recipient's IP address, the precise time of opening, the device used, and a unique identifier tied to that recipient. In aggregate, the sender knows what time of day each subscriber checks email, which device they use at home versus at work, and how many times they reread a particular message.

In France, the CNIL published a recommendation in May 2026 giving marketers ninety days to obtain explicit consent before firing an email pixel. In the United States, Forbes settled a $10 million class action in May 2026 on the theory that pixel based tracking constitutes a wiretap under the California Invasion of Privacy Act. The legal framework is converging on the same conclusion the Rutgers researchers reached empirically: third party pixels are a breach event, not a marketing optimization.

Gblock blocks email tracking pixels at the browser level. When a tracked email loads in Gmail, Gblock prevents the third party request from completing. The sender's analytics platform records no open. The same defense that hospitals would need to apply to their websites is what Gblock applies to your inbox, automatically, on every email.

What This Means for Patients, Plaintiffs, and Compliance Teams

For patients, the practical consequence is that visiting your hospital's website to read about a condition is, more likely than not, sending that condition name to Meta and Google. Browser based defenses—uBlock Origin, Privacy Badger, the tracking protection built into Brave and Firefox—block the pixels at load time. Logging into the patient portal from a browser configured with these tools is materially safer than doing so from an unprotected browser.

For plaintiffs' attorneys building tracking pixel class actions, the Rutgers paper is the kind of source that survives a motion to dismiss. The paper is peer reviewed, the dataset is auditable, and the 46% number is a quantified harm that translates into damages.

For hospital compliance officers, the paper is the receipt that turns "we did not know" into "we should have known." Twelve years of data, 1,201 hospitals, and a peer reviewed effect size puts the burden of proof on the hospital, not the patient. The next time the marketing team asks to add a new pixel to the homepage, the compliance team now has a paper to point at.

The Underlying Pattern

The Rutgers study is part of a research wave that is quantifying what privacy advocates have been saying anecdotally for years. A separate study showed that four most visited websites are a unique fingerprint for 95% of users, even after cookies are blocked. State health exchanges in twenty states transmitted citizenship, race, and prescription drug names to TikTok and Meta through the same pixel mechanism.

The third party tracking ecosystem was built on the premise that the data being collected was harmless. The harm has now been measured. It is, in the hospital website case, a 46% increase in the probability of a breach event that costs the average hospital $11 million in settlements, regulatory fines, and remediation. The question is no longer whether tracking pixels are a privacy issue. The question is why anyone is still installing them.