Anatomy of a Health-Pixel Claim: From One Page Load to a $6.6 Million Settlement
A single advertising tag on a patient portal connects a person, a provider, and a condition — and that connection has driven settlements, FTC orders, and consolidated federal litigation. Here is the chain of events, request by request.
To see why tracking tools on health sites became a multi-front legal problem, it helps to follow a single page load from start to finish. The mechanics are simple. The consequences have not been.
The chain of events
A patient opens a hospital system's MyChart-style portal to view a test result or message a clinician. The page is served over an authenticated session — the visitor is logged in. Embedded in that page, alongside the legitimate application code, is an advertising pixel that the marketing team added months earlier to measure ad performance.
When the page renders, the pixel fires. It sends a request to the third-party advertising platform that can include the page URL — which on a portal often encodes the section being viewed, such as a scheduling path, a messaging thread, or a results page — together with the visitor's browser cookies. If that visitor is also logged into the advertising platform's consumer service in the same browser, one of those cookies is a stable account identifier. In a single request, three things travel together: a person (the account ID), a provider (the domain), and, by inference, a health context (the URL path).
That is the entire mechanism. No breach, no stolen database — just a default-on tag on a page it should never have touched.
How the law responded, on three tracks
The response did not come from one place, which is why it has been hard for operators to reason about.
The first track is private litigation. In one widely cited resolution, the North Carolina system Novant Health agreed to a $6.6 million settlement over allegations that a pixel on its MyChart portal disclosed the information of roughly 1.3 million people to Facebook during a period in 2020 to 2022. Many comparable suits were consolidated before a single federal judge in the Northern District of California — In re Meta Pixel Healthcare Litigation — against the advertising platform and various providers. The theory across them is consistent: undisclosed disclosure of identifiable health-related activity to a third party.
The second track is federal enforcement, and it reaches beyond HIPAA-covered entities. The FTC pursued GoodRx, BetterHelp, and the maker of the Premom app for disclosing health information through tracking tools — GoodRx (its first-ever Health Breach Notification Rule enforcement) and Premom under the Health Breach Notification Rule, and BetterHelp under the FTC Act's prohibition on unfair practices — treating the disclosures as reportable breaches and unfair practices. The significance is jurisdictional: a wellness app or a direct-to-consumer health brand is usually outside HIPAA but squarely inside the FTC's reach.
The third track is regulatory guidance — and this is where 2024 added important nuance rather than simply expanding liability. The HHS Office for Civil Rights had issued a bulletin treating a broad range of tracking scenarios as HIPAA-regulated. In American Hospital Association v. Becerra (June 2024), a federal court in the Northern District of Texas vacated one part of that guidance: the so-called proscribed combination, under which an IP address plus a visit to an unauthenticated public page about a health condition triggered HIPAA obligations. HHS declined to appeal. Crucially, the court did not disturb the guidance as applied to authenticated pages like patient portals. The line that survived is the one that matters most here: logged-in portal activity remains squarely within HIPAA's concern, even as the reach over anonymous visits to public health-information pages narrowed.
Layered on top is state law. Washington's My Health My Data Act, and similar measures elsewhere, reach health-linkable data well outside HIPAA's definitions and, in Washington's case, carry a private right of action — which keeps exposure alive even where a court has trimmed federal guidance.
Why this pattern is so persistent
The recurring root cause is organizational, not technical. Marketing owns the tag manager; compliance owns the risk; the two rarely review the same pages. An advertising pixel deployed site-wide by default does not distinguish a blog post from an authenticated results page. The tool behaves identically; only the page's sensitivity changes. That is why the same finding shows up across otherwise dissimilar organizations.
What the autopsy makes visible
Reduced to observable facts, a health-pixel exposure has a clear signature:
- A third-party advertising or analytics tag present on authenticated or health-context pages, not just marketing pages.
- Outbound requests carrying URL paths that reveal a clinical or scheduling context.
- Platform identifiers — account cookies,
fbp, click IDs — accompanying those requests. - Tags firing on load, before any consent or disclosure, on pages where the disclosure is most sensitive.
The legal questions around health tracking remain contested at the edges, and the 2024 ruling genuinely narrowed one theory. But the core finding — an advertising tag on a page that reveals who is doing what, healthwise — is the through-line connecting the settlements, the FTC orders, and the MDL. It is also exactly the kind of thing a scan can surface before it becomes a notice letter.
Sources
See what your own pages do
The behaviors above are observable on the wire. LawsuitGuard loads your site in a real browser, maps every tracker and when it fires, and shows the evidence behind each finding.
Run a free scan