Hospital Websites Leaking Patient Data Four Years After Warnings
May 4, 2026 - 2:52 pm
A new Bloomberg-Feroot investigation reveals that nine out of the ten largest US health companies still load advertising trackers on pages where patients log in and register. This issue persists despite repeated warnings and efforts to regulate it.
Online Tracking: A Familiar Story
Investigations into online tracking often follow a similar pattern: a researcher loads a website, observes what loads behind the scenes, and discovers where the data ends up—often with surprising results. Bloomberg’s latest study, published this month, highlights that little has changed in the area where it's hardest to justify such practices: the websites of America's largest healthcare providers.
Findings from Bloomberg’s Investigation
Working with Feroot Security, Bloomberg analyzed the websites of the ten largest publicly traded US health insurance, hospital, and laboratory companies. They found that nine out of ten had advertising and analytics trackers on user-registration or login pages. These trackers can potentially capture sensitive information like:
- Social Security numbers
- Usernames and passwords
- Email addresses
- Appointment times
- Billing details
- Medical diagnoses
A Tale of Persistence and Regulatory Failure
This issue has been evident for years, with studies showing that 98.6% of US hospital websites include third-party tracking. In 2022, we reported on hospitals using Meta’s Pixel to send data to Facebook when patients scheduled appointments. STAT's investigation in 2023 revealed almost every hospital website nationwide leaking visitor data to ad-tech vendors despite privacy promises.
Federal regulators took action, warning hospitals and telehealth providers about using tracking technologies on patient-facing pages in 2023. However, the healthcare industry challenged these efforts, and a federal judge in Texas ruled against the HHS in June 2024, limiting their enforcement power.
The Result: Persistent Privacy Risks
Despite academic studies, regulatory warnings, litigation, and public awareness, Bloomberg’s findings suggest that this sensitive practice continues largely unabated in 2026. Common third-party trackers include Meta's tracking pixel, Google Analytics, and LinkedIn Insights.