Security | Threat Detection | Cyberattacks | DevSecOps | Compliance

Two Indiana healthcare providers, Goshen Health System and Hancock Regional Hospital, recently reached settlements tied to the use of website tracking technologies, including Meta Pixel. Neither organization admitted to any deliberate misconduct, emphasizing that the settlement is done to avoid the cost and disruption of continued litigation.

You don’t have to dig far into a payment page before the pattern makes itself obvious. A few scripts are yours. A few belong to vendors you expected. But then the list keeps going, and you start to see something else.

It starts with a simple audit. Your legal team checks Business Associate Agreements after OCR’s tracking technology guidance. Google Workspace BAA: signed. Analytics platform BAA: signed. CRM and marketing tools: covered. Then the question that changes everything: Do we have BAAs for the tracking pixels on our patient pages?

As a health-related technology company, you are not registered as a “healthcare provider”; therefore you are not HIPAA-covered. But under the Health Information Privacy Reform Act (HIPRA), your health app, wearable, or connected device may soon be held to the same privacy and security expectations as one.

The Office of the Australian Information Commissioner’s (OAIC) 2025 approach places more weight on how systems behave than how policies read. It reflects a broader shift that has been building for some time. APP 11, in particular, now rests on understanding the small, routine movements inside modern web and mobile environments. It’s because the environment drift rarely announces itself. New endpoints appear, SDK permissions adjust, and minor code changes influence how data is handled.

On November 6, 2025, The HIPAA Journal reported that Pomona Valley Hospital Medical Center (PVHMC) agreed to pay $600,000 to settle a class action lawsuit over its use of Meta Pixel and similar website-tracking technologies. The case, Warren v. Pomona Valley Hospital Medical Center, centered on how these tools may have unintentionally transmitted user identifiers and patient information to third parties such as Meta (Facebook).

Website data leaks don’t require hackers. They happen when legitimate scripts, analytics pixels, and chat widgets transmit sensitive data to third parties through routine operations. Traditional security tools miss these leaks because they monitor server-side traffic while the exposure occurs in customer browsers. This visibility gap is why organizations use client-side monitoring platforms to detect browser-level data flows that security tools can’t see.

Back in 2022, PCI DSS v4.0 set the stage for a new era of payment security. For the first time, it asked organizations to look beyond their servers and into the browser itself. Then, on April 1, 2025, the “future-dated” requirements, 6.4.3 and 11.6.1, moved from guidance to mandate, decisively shifting attention to mitigating client-side risk. In plain English, the spotlight is now on what’s happening in the browser.

Think of your website as the front desk of your clinic. You wouldn’t let vendors set up recording equipment in your waiting room without contracts. But that’s precisely what happens when tracking pixels, session replay, and chat tools run on patient-facing pages without Business Associate Agreements.

Most HIPAA violations now involve websites and tracking technologies. Standard website tools like analytics, pixels, session replay, and chat create regulated data flows that many teams have never instrumented or reviewed. We’ve seen this play out in public: investigations and lawsuits involving Blue Shield of California and Novant Health showed how ordinary tracking technologies can expose Protected Health Information (PHI) at scale.

The US Department of Justice’s new Data Security Program (DSP) requires organizations to treat large collections of U.S.-person and government-related data as matters of national security.