A new investigation by Bloomberg and Feroot Security has found that nine of the ten largest US health insurance, hospital, and laboratory companies continue to load advertising and analytics trackers on patient login and registration pages. This is the same pattern that academic studies, journalistic investigations, and federal regulators have flagged repeatedly since at least 2022.
What the investigation found
Bloomberg and Feroot examined the websites of the ten largest publicly traded US healthcare companies. Nine of the ten had advertising trackers installed on user-registration or login pages. About 15 percent of the broader sample of health websites could read exact keystrokes on login pages, meaning third parties could in principle collect Social Security numbers, usernames, passwords, email addresses, appointment times, billing details, and medical diagnoses.
The third parties most commonly identified are Meta's tracking pixel, Google Analytics, LinkedIn Insights, TikTok Pixel, and a long tail of advertising and data-broker vendors. The data they receive can include the URL of the page, search terms entered into a hospital's symptom-finder, scheduling actions, and, in keystroke-capable cases, fields entered before submission.
Why the trackers persist
The problem has been visible for years. An academic study published in Health Affairs found that 98.6 percent of US hospital websites included third-party tracking. In 2022, 33 of the top 100 US hospital websites had Meta's Pixel sending data to Facebook every time a patient clicked a button to schedule an appointment. In 2023, STAT's investigative team showed that almost every hospital website in the country was leaking visitor data to ad-tech vendors despite explicit privacy promises.
Federal regulators responded. The Office for Civil Rights and the Federal Trade Commission jointly warned roughly 130 hospitals and telehealth providers in 2023 that the use of tracking technologies on patient-facing pages risked violations of HIPAA and consumer-protection law. The healthcare industry pushed back. In June 2024, a federal judge in Texas sided with hospital associations, ruling that HHS had exceeded its authority in trying to extend HIPAA to a category of unauthenticated webpage-tracking. The agency's enforcement appetite has been visibly chilled since.
What the data flows to
The marketing case for the trackers is simple: they support advertising attribution, conversion measurement, and audience-building. The defence, when offered, is that the trackers are configured not to capture protected health information, and that hospitals have business associate agreements with the relevant vendors. Bloomberg's investigation suggests this defence is harder to sustain in practice than in theory. The trackers, once embedded, do what trackers do. Configuring them to behave with the discretion HIPAA expects is a discipline most healthcare websites have not maintained at scale.