Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools

A recent analysis of healthcare websites has revealed that the majority use marketing and analytics tools that could potentially disclose sensitive data to third parties. The study was jointly conducted by Piwik PRO, a privacy-first web analytics platform provider, and Verified Data, an automated audit platform that helps organizations verify analytics accuracy, data quality, and privacy compliance.

Healthcare organizations have faced increased scrutiny of their use of website tracking and analytics tools in recent years, after studies revealed these tools were being routinely used on healthcare websites, in some cases on authenticated pages, and were disclosing sensitive data to third parties. These tools collect and transmit information to third parties about website use, which may include protected health information – personally identifiable health information that HIPAA requires regulated entities to protect. Major HIPAA breaches have been reported to the HHS’ Office for Civil Rights (OCR) related to these tools, including by Advocate Aurora Health, Kaiser Permanente, Novant Health, and Atrium Health.

Patients are increasingly taking legal action over the use of these tools by healthcare providers. Over the past two years, dozens of lawsuits have resulted in settlements to resolve alleged privacy violations. Piwik PRO reports that more than $100 million was paid out in settlements between 2023 and 2025 to resolve healthcare privacy violations due to tracking and analytics tools such as Meta Pixel, Google Analytics, and Microsoft Advertising code.

The Piwik PRO/Verified Data study findings are published in the healthcare website tracking report, Are healthcare companies one audit away from a compliance crisis? The study involved scans of 59 websites of major U.S. hospitals and clinics to assess tracking, consent, and data compliance. The study did not investigate whether protected health information was being disclosed to third parties; rather, it looked for the presence of and behavior of tracking scripts, cookies, advertising pixels, and consent systems.

Concerningly, almost three-quarters (73%) of scanned healthcare websites had active advertising or marketing trackers, even when the Global Privacy Control (GPC) opt-out signal was running. GPC is a browser-based signal that communicates the user’s preference to opt out of the sale or sharing of their personal data to website operators. More than two-thirds of sites (69%) used marketing or advertising cookies, which strongly suggests that data is routed to third-party platforms. The narrow spread between the tracking figure and cookie figure suggests some trackers are likely operating without cookies, which means cookie blocking would not fully prevent exposure. The researchers identified 75 unique tracking tools across the 59 scanned sites, including Google Analytics, Meta Pixel, Microsoft Advertising and session replay technologies.

Over the years, The HIPAA Journal has observed improved education about HIPAA, with patients now having a much better understanding of what HIPAA protects, what it does not, and the rights HIPAA gives them. Patients expect privacy when they visit their healthcare providers, and those expectations extend to their providers’ digital presence. When they visit a healthcare website and search for information about sensitive health matters, book appointments, or disclose their information in forms, they expect that information to be kept private and not be disclosed to third parties such as social media companies and advertising networks, yet these tools have been doing that for years.

“This isn’t a story about reckless marketers or bad intentions. Healthcare organizations often inherit their analytics setup rather than actively choose it. Google Analytics became the default for many because it was free, established, and widely understood. The challenge today is scope creep. What began as website analytics has evolved into broader behavioral ad targeting platforms,” explained Magdalena Pawlitko, Head of Global Sales at Piwik PRO. “In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny of how data gathering tools are configured and governed.”

The problem for healthcare providers is that these tools provide important and useful features. While there are regulations governing the use of these tools, healthcare providers do not have to call a halt to their digital marketing campaigns, but they do need to assess their strategy and ensure that they have the right infrastructure in place to ensure compliance and protect patient privacy.

“Patients expect that their health-related behavior stays private when they visit a hospital website. “Meeting that expectation is entirely possible with the right setup – and organizations that get there aren’t just reducing their legal risk. They’re building something more valuable: a digital presence their patients can actually trust. said Brian Clifton, founder of Verified Data and digital analytics and privacy expert.

If not done so already, the researchers recommend that healthcare organizations conduct an audit of their current tracking setup, ensure that advertising pixels on web pages that are PHI-adjacent are removed, that they enforce opt-out signals at the tag management layer, replace non-compliant analytics with a purpose-built platform, and ensure they have compliant infrastructure in place. In addition, the researchers recommend making compliance a standing requirement, rather than a one-off review, ensuring that all compliance-related decisions are fully documented.

The post Study of Healthcare Websites Shows Widespread and Risky Use of Tracking and Analytics Tools appeared first on The HIPAA Journal.

Aitkin County Health and Human Services Data Breach Affects 81,000 Individuals

Aitkin County Health and Human Services in Minnesota has identified a breach of its email environment. Data breaches have also been confirmed by Decatur Diagnostic Laboratory in Alabama and Gem State Dermatology in Idaho.

Aitkin County Health and Human Services, Minnesota

Aitkin County Health and Human Services in Minnesota has identified a breach of its email environment. On April 8, 2026, an email account was found to be sending phishing emails. Immediate action was taken to secure its email system, and an investigation was launched to determine the scope of the breach. Assisted by third-party digital forensics experts, Aitkin County HHS determined that there had been unauthorized access to three employee email accounts between April 7, 2026, and April 8, 2026. The investigation confirmed that the contents of one of the accounts had been downloaded.

The accounts were reviewed and found to contain the protected health information of 83,114 individuals, including names, addresses, dates of birth, Social Security numbers, dates of service, locations of service, individual case identifying numbers, PMI numbers, medical or health information, diagnosis and/or treatment information, healthcare provider names, medications, health insurance identification numbers, information regarding the type and status of forms filed with MnCHOICES, the date forms were last modified, health insurance claims information and/or information related to services received by Aitkin County HHS. A report containing some of the above data types relating to individuals not associated with the County was also found in the email account.

Passwords have been changed, employees have received additional training on email cybersecurity practices, and efforts are continuing to raise awareness of phishing emails. The email retention policy has also been updated to reduce the impact of any future incidents, and additional cybersecurity measures and monitoring partnerships are being considered to strengthen security.

Decatur Diagnostic Laboratory, Alabama

Decatur Diagnostic Laboratory Inc., in Alabama, has recently reported a data breach to the HHS’ Office for Civil Rights using a placeholder estimate of at least 500 affected individuals. The clinical laboratory has added a breach notice to its website, which confirms that this was a hacking incident involving data exfiltration. The notice does not state when the breach was detected, or for how long the hacker had access to its network.

Decatur Diagnostic Laboratory has confirmed that the data exfiltrated in the attack included names in combination with one or more of the following: date of birth, Social Security number, driver’s license number, medical record number, and/or patient code. The affected individuals have been advised to remain vigilant against incidents of identity theft and fraud over the next 24 months. The notice does not mention free credit monitoring and identity theft protection services. While this was not confirmed as a ransomware attack, a ransomware group has claimed responsibility. The LockBit 5 group claims it exfiltrated data in the attack and added the lab to its dark web data leak site.

Gem State Dermatology, Idaho

Improper disposal incidents are the rarest category of data breach. The first such incident of the year to date affects Gem State Dermatology in Boise, Idaho. On July 8, 2026, patient documents containing HIPAA-protected data were found in a dumpster three miles from the dermatology practice. A member of the public identified boxes of paperwork that appeared to be billing statements containing medical and personal information of patients of the dermatology practice. In addition to paperwork, what appeared to be thousands of microscope slides containing patient information, and presumably biological samples, were also found in the dumpster.

The material has now been collected by the practice, and an internal investigation has been launched to determine how the incident happened. At this early stage of the investigation, the practice is unable to confirm how any patients have been affected by the incident.

The post Aitkin County Health and Human Services Data Breach Affects 81,000 Individuals appeared first on The HIPAA Journal.

Accenture Confirms Intrusion After Hacker Claims 35GB Data Breach

Accenture, one of the world’s largest consulting firms, has confirmed it has experienced a security breach, shortly after a hacker claimed to have breached its systems and exfiltrated 35GB of data from the company. Accenture has confirmed that it identified the source of the intrusion and remediated the incident, and that it had no impact on its financial position or operations.

Accenture provides professional services to help businesses and governments solve complex problems and assist them with the implementation of new technologies, cloud migrations, along with managed services to help them run day-to-day business processes. Its client list includes many Fortune 500 companies.

On July 6, 2026, a cybercriminal hacker with the handle “888” added a post titled “Accenture Data Breach” to a cybercrime forum claiming to have stolen 35 GB of data including source code, RSA keys, SSH keys, Azure Personal Access Tokens (PATs), Azure Storage access keys, configuration files, and other data. The hacker was offering the data for sale, requesting payment in the Monero digital currency. The post included a screenshot as proof of data theft.

While Accenture has confirmed that there was an intrusion, the company has not stated whether the attacker’s claims are genuine or provided any further information about the nature of the incident. This is not the first time the hacker has attempted to sell data stolen from Accenture, having listed data for sale that had been stolen in a third-party incident in 2024.

In that instance, the hacker claimed to be selling sensitive data, including the personally identifiable information of more than 30,000 employees, although Accenture said at the time that the hacker’s claims were vastly exaggerated, and only included the data of around three of its employees. The latest data theft claim may also have been exaggerated; however, if genuine, the highly sensitive nature of the stolen data will be a major cause of concern, potentially impacting the company’s clients and partners.

The post Accenture Confirms Intrusion After Hacker Claims 35GB Data Breach appeared first on The HIPAA Journal.

Drug and Alcohol Treatment Services Settles Data Breach Litigation

Drug and Alcohol Treatment Services, Inc., a Scranton, Pennsylvania-based provider of drug and alcohol addiction services, has agreed to settle class action litigation stemming from an October 2024 ransomware attack.

The attack resulted in the theft of the personal and protected health information of employees and patients. The HHS’ Office for Civil Rights was informed that 22,215 patients were affected. Data exposed or stolen in the incident included names, dates of birth, Social Security numbers, health insurance information, medical billing/claims information, patient account numbers, prescription/medication information, and diagnosis/treatment information.

Eight class action lawsuits were filed in response to the data breach, which were consolidated into a single complaint – Leo Woytach, et al v. Drug and Alcohol Treatment Services, Inc. – in the Court of Common Pleas of Lackawanna County, Pennsylvania. The consolidated lawsuit asserted claims for negligence, negligence per se, breach of contract, breach of implied contract, breach of fiduciary duty, breach of confidence, and unjust enrichment. The defendant denies all claims and contentions in the lawsuit and maintains there was no wrongdoing.

Following negotiations about a potential settlement and a full day of mediation, settlement terms were agreed upon that were acceptable to all parties. By settling, all parties avoid the costs, distraction, burden, and risks of a trial and related appeals. The defendant will establish a $549,000 settlement fund, from which attorneys’ fees and expenses, settlement administration/notification costs, and service awards for the eight class representatives will be paid. The remainder will be used to pay benefits to the class members.

The settlement covers individuals who were notified about the data breach and provides cash payments to individuals who submit a valid claim. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $5,000 per class member, or a claim may be submitted for a pro rata cash payment. The value of the cash payments will be determined by the number of valid claims received.  In addition, class members qualify for a free 12-month membership to a medical data monitoring service.

The deadline for filing an objection and opting out of the settlement is August 25, 2026. Claims must be submitted by September 24, 2026, and the final fairness hearing has been scheduled for November 24, 2026.

June 9, 2025: Drug and Alcohol Treatment Services Facing Multiple Class Action Data Breach Lawsuits

A Pennsylvania non-profit provider of drug and alcohol addiction services is facing multiple class action lawsuits over an October 2024 ransomware attack. Drug and Alcohol Treatment Services, Inc. (DATS), based at 441 Wyoming Avenue in Scranton, PA, identified unauthorized access to its computer network on October 6, 2024. The forensic investigation confirmed that an unauthorized third party had access to the protected health information of 22,215 individuals between October 5 and October 6, 2024. Data compromised in the incident included patient names, dates of birth, medical histories, treatment information, health insurance information, medical claims information, billing information, Social Security numbers, and financial information.

The data breach was confirmed by DATS on December 5, 2024; however, notification letters were not sent to the affected individuals until May 2, 2025. DATS said it was unaware of any misuse of the stolen data at the time of issuing notification letters and offered the affected individual complimentary credit monitoring and identity theft protection services. The notification letters did not state the exact nature of the cyberattack; however, the Interlock ransomware group claimed responsibility for the attack and said 150 GB of data was stolen. The ransom was not paid, so the group published the stolen data on its data leak site. The group claims the leaked files include the personal data of employees and patients.

Currently, at least eight class action lawsuits have been filed against DATS over the data breach. The lawsuits make similar claims, including negligence for failing to protect its information technology systems and sensitive patient and employee data. The lawsuits claim the data breach could have been prevented if DATS had implemented reasonable security measures and adhered to industry-standard data security practices. The lawsuits also claim that DATS did not provide timely notifications to the affected individuals, who were informed that their sensitive data had been stolen seven months after the data breach. The lawsuits claim the notification delay deprived the plaintiffs and class members of the opportunity to take action to mitigate the harmful effects of the data breach. The lawsuits also assert claims of breach of confidence, breach of implied contract, breach of fiduciary duty, unjust enrichment, and invasion of privacy.

The lawsuits seek class certification, a jury trial, damages, attorneys’ fees, reimbursement of legal costs and expenses, and injunctive relief, including an order from the court compelling DATS to implement measures to improve security.

The post Drug and Alcohol Treatment Services Settles Data Breach Litigation appeared first on The HIPAA Journal.