Over $100 Million in Healthcare Privacy Settlements (And Counting)
Here’s the version of the story we keep hearing.
A few years ago, a hospital marketing team did what every marketing team does. They added marketing tools to the website. A retargeting pixel from one of the major ad platforms. Analytics from another. Maybe a heatmap tool to see where visitors clicked. Maybe a chat widget. Maybe a session replay tool.
Before 2022, there was a clear dividing line between what was PHI and what wasn’t on a website. If your visitors weren’t logged in to a patient portal with their medical records, or submitting a form that says something like “Hi doctor, I have this disease,” you didn’t have to worry.
Then in 2022, HHS-OCR started enforcing against tracking pixels on public parts of healthcare sites. The complaints landed. The names of the hospitals on the front page of HIPAA Journal started to pile up.
In the few years since, more than two dozen healthcare organizations have settled HIPAA privacy claims tied to tracking on their websites. The aggregate is past $100 million. The list of named hospitals is the kind that makes you wince: large academic medical centers, regional health systems, multi-state hospital networks, FQHCs. Networks of dental clinics. Several individual settlements have crossed $10 million. A few are above $20 million. Another is currently in litigation, with exposure that the latest filings put close to $50 million.
The trail behind almost every case leads back to the same kind of finding. A piece of code on the hospital’s website was sending unique information about each visitor, along with the specific pages they were reading, to a third party that hadn’t signed a Business Associate Agreement. The names on those third-party servers change from case to case. The pattern doesn’t.
If you’re a hospital marketing director, and a small voice in the back of your head just asked wait, what’s running on our site right now, you’re not alone. Most teams we talk to don’t actually know. The pixel was installed years ago. The team that added it has moved on. It still fires every time a patient lands on a service-line page.
The Doctor-Patient Relationship Starts on Your Homepage.
The easy reaction, when a settlement like this hits the news, is to treat it as a cost-of-doing-business problem. A new line item on the risk register. Something for compliance to handle.
We don’t think it’s really about that.
These lawsuits are the legal system catching up to something most hospital leaders already believed. The doctor-patient relationship doesn’t start in the exam room. It starts the moment someone lands on your hospital’s website at 11pm, worried about a symptom, looking for a doctor they can trust to help. By the time they click into the “Cancer Treatment Options” page, they’re already trusting your hospital with something deeply private about themselves. Sharing what they read about with a third party that’s free to use it for advertising isn’t only a regulatory risk. It’s a small but real breach of the trust your providers and your staff are working every single day to earn.
That’s the part that matters most to us. And honestly, we think it’s the part that matters most to the hospital leaders we work with too.
The financial math also doesn’t work, of course. If we help a client drive an extra $5 million in service line revenue and that same client gets hit with a $20 million settlement, we haven’t actually helped them. But we’d rather not have to make that argument. The trust argument should have already settled it.
So when we run marketing for hospitals, we hold ourselves to two things at the same time. Grow the service lines. Deliver more care to more patients who need it. Protect the trust. We never want to push the envelope on patient privacy. There is no version of healthcare marketing that’s worth the trade.
So We Built You a Free HIPAA Scanner.
It lives at https://hipaa-scan.echo-factory.com/.
Paste in any URL. About ten seconds later, you get a graded report (A through F) showing every tracker, pixel, and third-party tag firing on the page that the scanner found, with a plain-English verdict, a numeric risk score, and the real-world settlement history behind each finding.
No login. No demo request. No five-page form.
The scanner is looking for a specific kind of thing. Any piece of code on your site that might send a unique identifier for the visitor (something that can connect a browsing session back to a real person) along with the pages they’re reading to a third-party server that hasn’t signed a Business Associate Agreement. The most widely deployed examples come from the biggest social, ad, and analytics platforms like Facebook and Google, which is why those names show up in the settled cases the most often.
We built it because we believe what we said in the section above. The first visit to a hospital’s website is the beginning of the doctor-patient relationship, and it deserves an appropriate level of privacy. Hospital marketing directors shouldn’t have to wait for an audit, or an attorney’s letter to find out what’s actually firing on the pages their patients visit. They should be able to look for themselves, in ten seconds, for free.
What the Report Tells You
The scanner is the flashlight. It’s designed to make a question that’s usually invisible (what is actually firing on this page when a patient visits?) answerable quickly.
Specifically, the report gives you:
A grade and a risk score. A through F, 0 to 100, calibrated against other healthcare sites so the grade actually means something in context.
A plain-English verdict. Conditional on patient use. The scanner doesn’t know whether a given site is a covered entity, so it doesn’t pretend to. It tells you what’s firing and what the implications are if patients are visiting.
A real-world cost alert. This is the part that tends to get the marketing director’s attention. We add up the settlement history across every tracker we detected, from the settlements we’ve been able to find.
Every detected vendor, explained. For each tracker we find, the report tells you what it does, what to do about it, and what we know about whether the vendor will sign a Business Associate Agreement (most of the major ad and social platforms will not), and the specific settled cases that vendor has been named in.
A cookie audit and a forms audit. What got stored in the browser during the visit. What kind of risk every form on the page carries. (Forms get a medium-risk floor on a healthcare site regardless of where they post, because the bigger question is what a patient might type into one.)
A PDF download and a shareable link. For the moment when someone in legal, IT or on the board says, “send me that report.”
How We Do Healthcare Marketing
The scanner is free, and the report is yours to keep. If you’d like help improving your site while still being able to effectively reach potential patients who need the care you provide, we’d be happy to help.
What we are is a Los Angeles healthcare marketing agency. We run paid media, build websites, and produce creative for hospitals, FQHCs, and multi-location clinics and healthcare practices.
Everything we said earlier about the doctor-patient relationship starting on the homepage is the first half of how we approach this work. The second half is that none of it means doing less marketing.
Hospitals and healthcare organizations still need to grow their service lines, fill their schedules, and recruit clinicians in one of the hardest staffing markets in modern memory. We’ve spent years figuring out how to do that without relying on the kinds of tools that are putting our peers in court. There are measurement approaches that don’t hand patient browsing data over to ad networks. There are analytics platforms that will actually sign a Business Associate Agreement, and/or not collect individually identifiable information.
That combination, growing the business while completely protecting patient privacy from the very first visit, is how we work. It’s what we think hospital and healthcare marketing should look like.
An “A” Doesn’t Mean You’re Clean. An “F” Doesn’t Mean You’re Sunk.
A disclaimer about what the scanner can and can’t do, before you go run your site through it.
The scanner is automated. It loads your page like a regular visitor, watches everything that fires, and grades what it sees. It’s a starting point. Treat it like a warning flag that says “I should have a pro look at this” than as a verdict either way.
An A is good news. It does not automatically mean your site is sharing nothing it shouldn’t be.
An F is a wake-up call. It does not automatically mean your site is violating HIPAA. The scanner doesn’t know whether your organization is a covered entity, what BAAs you might already have in place, or what tools you might be using to anonymize visitor data while still providing care to patients who need it with ad-delivery tools. A poor grade is a reason to investigate, not a verdict.
The point of this tool is to make invisible information visible quickly, so the next conversation can be a good one.
Go Run Your Site Through It.
Then run your competitor’s. Then run that consumer health brand you’ve been benchmarking against.
Free HIPAA Site Scanner from Echo-Factory
If the scan comes back clean, great. If it comes back lower than you’d like, that’s a warning sign. Either way, you’ll have a clearer picture of what your patients are walking into when they land on your hospital’s homepage. Which feels like a fine place for a doctor-patient relationship to start.
