Hospital websites continue to expose patient information to advertisers.

      A recent investigation by Bloomberg and Feroot reveals that nine out of the ten largest health companies in the US are still using advertising trackers on the patient login and registration pages. This issue persists because no significant measures have been taken to address it.

      Investigations of online tracking have followed a recognizable pattern over the years. A journalist or researcher visits a website, monitors the background activity, and often uncovers surprising data destinations. Bloomberg's latest investigation, released this month, reveals that little has changed regarding online tracking on the websites of major healthcare companies in the US.

      Collaborating with the privacy-compliance firm Feroot Security, Bloomberg analyzed the websites of the ten largest publicly traded health insurance, hospital, and laboratory companies in the US. They found that nine out of ten had advertising and analytics trackers on their user registration and login pages.

      Approximately 15% of the health websites examined were capable of reading exact keystrokes on login pages, which means that third parties could potentially access sensitive information such as Social Security numbers, usernames, passwords, email addresses, appointment times, billing information, and medical diagnoses.

      This situation can be viewed as a narrative of both persistence and regulatory failure, possibly encompassing both aspects.

      The presence of trackers raises questions about how and why they remain on these sites. The issue has been apparent for years. A study published in Health Affairs indicated that 98.6% of US hospital websites incorporated third-party tracking.

      In 2022, it was reported that 33 of the top 100 US hospital websites had Meta’s Pixel transmitting data to Facebook each time a patient clicked to schedule an appointment. A 2023 investigation by STAT revealed that nearly every hospital website in the country was leaking visitor data to advertising technology vendors, despite clear privacy commitments.

      Federal regulators took action, with the Office for Civil Rights and the Federal Trade Commission jointly warning around 130 hospitals and telehealth providers in 2023 that using tracking technologies on patient-facing pages could violate HIPAA and consumer protection laws.

      The healthcare sector defended itself. In June 2024, a federal judge in Texas ruled in favor of hospital associations, stating that HHS had overstepped its authority in attempting to expand HIPAA regulations to unauthenticated webpage tracking. Consequently, the agency's enforcement efforts have visibly diminished.

      This has led to a situation where sensitive online activities, well-documented and scrutinized academically, have not changed significantly since 2026 compared to 2022, according to Bloomberg.

      What data is being collected by these trackers?

      The third parties most frequently identified through Feroot’s tools are well-known names: Meta’s tracking pixel, Google Analytics, LinkedIn Insights, TikTok Pixel, along with multiple advertising and data-broker vendors.

      The data they acquire may include the page URL, search terms entered into a symptom-finder, scheduling activities, and, in cases where keystroke reading is enabled, information entered prior to submission. Once data leaves a hospital's domain, industry consensus indicates that hospitals have limited control over its subsequent use.

      The marketing rationale behind these trackers is straightforward. They facilitate advertising attribution, conversion measurement, and audience development—the same functions they serve on retail or media websites.

      When a defense is attempted, it often argues that the trackers are set up to exclude protected health information and that hospitals either have business associate agreements with relevant vendors or do not require them.

      However, Bloomberg's investigation, along with previous academic and journalistic inquiries, suggests that this defense is more difficult to uphold in real-world scenarios than in theory.

      Once embedded, trackers behave as intended. Configuring them to adhere to HIPAA's expected discretion is a discipline that many healthcare websites struggle to maintain on a large scale.

      There’s also a subtler aspect to this issue. Navigating a hospital’s website increasingly represents the first step in a healthcare journey. The pages a patient views, the symptoms they search for, and the providers they consider collectively form a picture of their health, both physical and mental—a picture that remains sensitive regardless of how it was compiled.

      On a more critical note, the same advertising infrastructure that supports routine e-commerce is, in this instance, capturing data regarding pregnancies, mental health treatment, addiction, and serious medical diagnoses, often without patients' knowledge and certainly without meaningful consent.

      The subsequent advertising and data-broker ecosystem, along with the chain of reselling and inference that powers programmatic ads, is so opaque that even the originating tracker vendor cannot fully clarify where the data ultimately goes.

      In contrast, Amazon’s newly expanded Health AI service, designed to function within a HIPAA-compliant framework, illustrates that when companies wish to manage health data responsibly, they can do so. According to Bloomberg’s reporting, most hospital websites have defaulted to not doing the same.

      How can this issue be resolved?

      There are theoretically three ways to eliminate the trackers. The first involves regulation: an enforcement action by HHS or the FTC that withstands appeals and results in a significant settlement. The second involves