5 min readSift Health

The Meta Pixel hospital enforcement actions, explained

  • meta-pixel
  • enforcement
  • tracking
  • hipaa

In June 2022, reporters at The Markup published an investigation with a simple method and a startling result. They visited the websites of Newsweek's top 100 hospitals in America and watched the network traffic. On roughly a third of them, Meta's advertising pixel was present — and on some, it fired on the appointment-scheduling flow, transmitting details about doctors, conditions and bookings toward Facebook's servers.

That single piece of reporting set off the most consequential chain of events in healthcare web privacy to date. If you operate any healthcare website, the pattern that emerged is worth understanding in detail, because it is now the template for how this category of risk plays out.

What the pixel actually does

The Meta Pixel is a snippet of JavaScript that website owners install to measure advertising and build retargeting audiences. When a page loads, the pixel sends an event to Meta that includes the page URL, metadata about the visit, and — because most visitors are logged in to Facebook or Instagram in the same browser — cookies that tie the event to a real, named account.

On a retail site, that is the business model working as intended. On a hospital's "schedule an appointment with an oncologist" page, the same mechanics mean a third party is receiving health-adjacent information linked to an identifiable person. Configuration options like "advanced matching" can widen what is captured — including values typed into forms, such as names and email addresses.

The crucial point: nobody at these hospitals decided to send patient information to Meta. Marketing installed a standard tag, often through a tag manager, and the default behavior of the tool did the rest. This is a configuration and inventory failure mode, not a malice one — which is what makes it so common.

The cascade that followed

Breach notifications. Within months, health systems began treating pixel data flows as reportable incidents. Novant Health notified over a million patients in 2022 that pixel code had been misconfigured on its website and patient portal. Advocate Aurora Health notified roughly three million. Cerebral, a telehealth company, later notified millions more. These disclosures landed on the HHS breach portal — the so-called "wall of shame" — exactly like a hacking incident would.

Class actions. The plaintiffs' bar moved quickly, filing dozens of suits arguing that pixel transmissions were unauthorized disclosures of health information. Advocate Aurora agreed to a settlement of about $12.25 million. Novant settled for a comparable amount. Many more cases followed against systems of every size, and the litigation has not been limited to Meta's pixel — analytics and session-replay tools appear in complaints, too.

Regulators. In December 2022, HHS OCR published its bulletin on online tracking technologies, putting regulated entities on notice that tracking tools on patient-facing pages can implicate HIPAA. In July 2023, the FTC and OCR took the unusual step of sending a joint letter to roughly 130 hospital systems and telehealth providers, warning them about the privacy risks of online tracking technologies on their websites and apps. The FTC separately brought actions against digital-health companies (GoodRx, BetterHelp) over sharing user health data with advertising platforms.

A federal court trimmed OCR's most expansive legal theory in June 2024 — see our Google Analytics explainer for that part of the story — but it did nothing to undo the breach notifications, the settlements, or the FTC's authority. The cost of the pattern was never primarily the OCR fine; it was everything else.

Why appointment pages are the fault line

Every enforcement document, complaint, and settlement in this saga keeps returning to the same place: patient-facing pages. Booking flows, intake forms, portal logins, condition-specific pages wired to scheduling. The reason is straightforward — that is where page context plus user identity becomes health information about a person.

A pixel on a hospital's homepage says "someone visited a hospital website." The same pixel firing on /schedule?provider=oncology&reason=follow-up says something categorically different, and it says it to an advertising company with no business associate agreement and its own commercial interests in the data.

This is why a sensible scanner does not treat all tracker findings equally. Sift Health classifies every crawled page (appointment, intake, portal, general) and escalates the severity of the same tracker when it sits on a patient-facing page — because that distinction is the actual lesson of 2022–2024.

What to do with your own site

The practical defense is unglamorous: know what is running, and keep the patient-facing surface clean.

  1. Inventory every third-party tag on your site — directly installed and loaded via tag managers. If you have never done this, assume there are tags you do not know about; that was true for billion-dollar health systems.
  2. Remove advertising pixels and session replay from patient-facing pages. There is rarely a defensible reason for a retargeting pixel on a booking flow. If a vendor claims their tool is fine there, ask them to sign a BAA and watch what happens.
  3. Check what your forms transmit. Form fields captured by "advanced matching" or session-recording tools are the worst version of this problem.
  4. Say what you do in your privacy policy — and then actually do it. Several complaints leaned hard on the gap between policy language and observed network traffic.
  5. Monitor continuously. The Markup found these pixels because hospitals were not looking. Tags reappear with every campaign and redesign; a quarterly manual check will miss them.

The takeaway

The Meta Pixel story is not really about Meta. It is about a structural blind spot: marketing tooling defaults that are harmless on most of the web become disclosures on the patient-facing parts of a healthcare site, and nobody inside the organization is tasked with watching for them. The investigation that started it all was, at bottom, someone looking at the network traffic — something any practice can now do for itself.

That is the gap a free Sift Health scan is built to close: it crawls your public pages, classifies the patient-facing ones, and tells you exactly which trackers are firing where — with severity that reflects this history, and plain-English recommendations for each finding. Not a compliance determination; just the looking that, until recently, only reporters were doing.

Sources

  • The Markup, Facebook Is Receiving Sensitive Medical Information from Hospital Websites (June 2022)
  • HHS Office for Civil Rights breach portal entries: Novant Health (2022), Advocate Aurora Health (2022), Cerebral (2023)
  • In re Advocate Aurora Health Pixel Litigation — settlement (~$12.25M)
  • HHS OCR, online-tracking bulletin (Dec. 2022; revised Mar. 2024)
  • FTC & OCR joint letter to ~130 hospital systems and telehealth providers (July 2023); FTC v. GoodRx (2023); FTC v. BetterHelp (2023)

This article is general information, not legal advice. Consult qualified counsel about your organization’s obligations.