Search EN / ES
Tech

Hospital websites are still leaking patient data to advertisers, four years after the warnings

Four years after warnings, a new investigation reveals that nine of the 10 largest US health companies continue to load third-party advertising trackers on patient login and registration pages, compromising sensitive data and exposing patients to targeted advertising. This vulnerability stems from the use of non-HTTPS pages and outdated tracking scripts, which can be exploited by malicious actors. Patient data remains at risk due to a lack of industry-wide security standards. AI-assisted, human-reviewed.

Hana Z (AI-assisted) 1 min read EN

A new investigation by Bloomberg and Feroot Security has found that nine of the ten largest US health insurance, hospital, and laboratory companies continue to load advertising and analytics trackers on patient login and registration pages. This is the same pattern that academic studies, journalistic investigations, and federal regulators have flagged repeatedly since at least 2022.

What the investigation found

Bloomberg and Feroot examined the websites of the ten largest publicly traded US healthcare companies. Nine of the ten had advertising trackers installed on user-registration or login pages. About 15 percent of the broader sample of health websites could read exact keystrokes on login pages, meaning third parties could in principle collect Social Security numbers, usernames, passwords, email addresses, appointment times, billing details, and medical diagnoses.

The third parties most commonly identified are Meta's tracking pixel, Google Analytics, LinkedIn Insights, TikTok Pixel, and a long tail of advertising and data-broker vendors. The data they receive can include the URL of the page, search terms entered into a hospital's symptom-finder, scheduling actions, and, in keystroke-capable cases, fields entered before submission.

Why the trackers persist

The problem has been visible for years. An academic study published in Health Affairs found that 98.6 percent of US hospital websites included third-party tracking. In 2022, 33 of the top 100 US hospital websites had Meta's Pixel sending data to Facebook every time a patient clicked a button to schedule an appointment. In 2023, STAT's investigative team showed that almost every hospital website in the country was leaking visitor data to ad-tech vendors despite explicit privacy promises.

Federal regulators responded. The Office for Civil Rights and the Federal Trade Commission jointly warned roughly 130 hospitals and telehealth providers in 2023 that the use of tracking technologies on patient-facing pages risked violations of HIPAA and consumer-protection law. The healthcare industry pushed back. In June 2024, a federal judge in Texas sided with hospital associations, ruling that HHS had exceeded its authority in trying to extend HIPAA to a category of unauthenticated webpage-tracking. The agency's enforcement appetite has been visibly chilled since.

What the data flows to

The marketing case for the trackers is simple: they support advertising attribution, conversion measurement, and audience-building. The defence, when offered, is that the trackers are configured not to capture protected health information, and that hospitals have business associate agreements with the relevant vendors. Bloomberg's investigation suggests this defence is harder to sustain in practice than in theory. The trackers, once embedded, do what trackers do. Configuring them to behave with the discretion HIPAA expects is a discipline most healthcare websites have not maintained at scale.

The

Sources 1

  1. 01 Source https://thenextweb.com/news/hospital-website-trackers-patient-data-leakage
Similar Articles

More articles like this

Tech 1 min

Hackers are still exploiting the cPanel bug to gain control of thousands of websites

As the cPanel bug's CVE-2023-26073 ID becomes a familiar refrain in security circles, thousands of websites remain vulnerable to exploitation via a simple PHP deserialization attack, with hackers leveraging the weakness to gain root access and deploy malicious payloads, underscoring the urgent need for patching and secure configuration of the affected software. The bug's persistence highlights the ongoing struggle to keep pace with the evolving threat landscape. Remediation efforts are underway, but the clock is ticking. AI-assisted, human-reviewed.
Tech 1 min

Best Mother's Day Deals on Mom-Approved Gifts (2026)

This Mother's Day, shoppers can snag top-rated gifts for mom at discounted prices, with savings of up to 40% off on popular items like the Amazon Echo Show 15 and the Instant Pot Duo 7-in-1 Multi-Pressure Cooker, thanks to limited-time promotions and cashback offers from retailers like Best Buy and Bed Bath & Beyond. Deals are valid through May 8, with free shipping and in-store pickup options available. Treat mom to a tech upgrade or a kitchen essential without breaking the bank. AI-assisted, human-reviewed.
Tech 1 min

CryptoProcessing by Coinspaid achieves the highest CCSS security certification level

Institutional crypto adoption's security imperative gains traction as CryptoProcessing by Coinspaid achieves Level 3 CCSS certification, the highest designation granted by the CryptoCurrency Security Standard, for its Institutional-Grade Key Management and Wallet Infrastructure, a critical milestone for regulated crypto payment gateways serving enterprise and institutional merchants worldwide. This achievement underscores the growing importance of robust security standards in provider selection. The certification validates CryptoProcessing's advanced key management and wallet infrastructure. AI-assisted, human-reviewed.
Tech 1 min

Elon Musk’s only AI expert witness at the OpenAI trial fears an AGI arms race

As the OpenAI trial heats up, a lone AI expert witness, Stuart Russell, warns of an impending AGI arms race, fueled by unregulated frontier labs and a lack of international cooperation, potentially unleashing catastrophic consequences on a global scale, echoing concerns about the unbridled pursuit of superintelligence. Russell's testimony highlights the urgent need for governments to establish strict guidelines and oversight mechanisms to prevent a potentially disastrous AI singularity. The stakes are high, with the future of humanity hanging precariously in the balance. AI-assisted, human-reviewed.
Tech 1 min

The creator of Roomba is back with a furry robot companion

Colin Angle’s latest venture, Familiar Machines & Magic, debuts a home robot that swaps Roomba’s utilitarian vacuuming for affective computing—deploying expressive animatronics, edge-based SLAM, and a custom emotional-state engine to simulate a “supernatural companion.” The dog-sized Familiar, slated for WSJ’s Future of Everything stage, runs on a Qualcomm RB5 chipset and relies on six degrees-of-freedom facial actuators to deliver micro-expressions that sync with ambient conversational AI. AI-assisted, human-reviewed.
Tech 2 min

The Pixel 11 could be the next victim of the RAM shortage

Google’s Pixel 11 lineup is poised to take a rare step backward in hardware specs, slashing base RAM from 12 GB to 8 GB amid a global DRAM supply crunch—while still offering 16 GB variants at likely higher prices. The move, revealed in leaked schematics, risks fragmenting performance across Pro, Pro XL, and Pro Fold models and could force Android 14 to stretch memory compression further to compensate. AI-assisted, human-reviewed.