Kaiser Just Paid $46M for Website Tracking Pixels. Is Your Healthtech Startup Next?

In December 2025, a federal court granted preliminary approval for Kaiser Permanente to pay $46 million to settle a class action lawsuit. The data breach affected 13.4 million members. But it wasn't caused by a hack. It was caused by tracking pixels.

Google Analytics. Facebook Pixel. The same tools that most healthtech startups install on day one without a second thought. Kaiser had them running on their patient-facing websites and mobile apps. Those tools were silently capturing protected health information and sending it to third parties. No patient ever consented. No Business Associate Agreement was in place. Because Google and Meta don't sign BAAs.

Kaiser is a $95 billion healthcare giant with an army of compliance lawyers. If they missed this, what are the odds your startup caught it?

Why Tracking Pixels on Health Apps Are a HIPAA Problem

This catches founders off guard because it seems too mundane to be dangerous. You put Google Analytics on your site to understand traffic. You added a Facebook Pixel to measure ad performance. Maybe Hotjar to watch session recordings. Standard stuff for any SaaS product.

Here's the problem. When a user visits a page called /appointments/mental-health-counseling or /conditions/hiv-testing, the URL itself is health information. Combine that URL with the user's IP address, and you've got identifiable health information. That's PHI under HIPAA.

Google Analytics captures the full page URL, the user's IP address, device fingerprint, and browsing behavior. Facebook Pixel does the same, plus it ties that data to a Facebook profile. Hotjar records entire sessions, including form inputs.

None of these companies are your Business Associates. None of them have signed BAAs with you. And none of them will. Google explicitly states they do not offer BAAs for Google Analytics. Full stop.

So every time a patient visits your app and those scripts fire, you're disclosing PHI to a third party without authorization. That's a HIPAA violation. Every. Single. Pageview.

OCR Is Already Watching

This isn't a theoretical risk. The Office for Civil Rights has made tracking technology a top enforcement priority.

In December 2022, HHS published a bulletin specifically about tracking technologies on healthcare websites. They spelled it out clearly: if tracking tech on your site collects individually identifiable health information and transmits it to a third party, that's a disclosure of PHI. You need HIPAA authorization or a BAA in place. Period.

Then in July 2023, OCR and the FTC jointly sent warning letters to 130 hospital systems and telehealth providers they identified as running tracking technologies on patient-facing properties. Those weren't fines. They were warnings. The fines come next if you don't fix it.

Worth noting: the American Hospital Association challenged OCR's tracking technology guidance in court, and in mid-2024 a federal judge vacated parts of the original bulletin. Specifically, the court found OCR overstepped by classifying IP addresses collected on unauthenticated public-facing pages as PHI. But the core principle still holds for authenticated patient portals and any page where a user's identity can be linked to health information. And the Kaiser settlement happened under state consumer protection law, not OCR enforcement. The legal risk is real regardless of how the OCR guidance debate plays out.

Kaiser's $46 million settlement is the first major domino. It won't be the last.

The Tools That Create Risk

Not all analytics tools are equal under HIPAA. Some can be configured safely. Others can't be used at all on patient-facing properties.

The key distinction is simple. If the tool sends data to a third party server and that third party won't sign a BAA, you can't use it on pages where patients interact with health-related content.

Some tools sit in a gray area. Mixpanel offers BAAs on their enterprise plan. Amplitude has a healthcare-specific offering. But the default free or standard plans? No BAA. And if there's no BAA, any PHI that touches their servers is a violation.

The 15-Minute Tracking Audit

You can check your exposure right now. This takes about 15 minutes.

How to Fix Your Tracking Stack

The good news: you don't have to fly blind. You can still measure what matters without sending PHI to Google.

The Privacy-Safe Analytics Stack

For web analytics: Plausible or Fathom. Both are privacy-first, don't use cookies, don't track individual users, and don't capture IP addresses. They tell you what pages get traffic, where visitors come from, and what devices they use. That covers 90% of what most startups actually need from Google Analytics. Plausible is also open source if you want to self-host.

For product analytics: PostHog, self-hosted on your own infrastructure. Self-hosting means patient interaction data never leaves your servers. PostHog gives you event tracking, funnels, session recordings, feature flags, and A/B testing. All in one tool, all on your own infrastructure, covered by your own HIPAA controls.

For ad conversion tracking: Server-side conversion APIs. Both Google and Meta offer server-side APIs that let you report conversions from your backend instead of from the browser. The key: you control what data gets sent. Strip out any PHI before the data leaves your server. Send only the conversion event, not the health context. This takes more engineering work than dropping a pixel on the page, but it's the only HIPAA-compliant way to measure ad performance.

For session recordings: If you absolutely need them, self-hosted PostHog. But think carefully about which pages you record. A session recording of someone navigating your pricing page is fine. A session recording of someone filling out an intake form for depression screening is PHI.

What to Strip, What to Keep

The rule is straightforward. Any data that could identify a person combined with any data that relates to their health condition, treatment, or payment for healthcare is PHI. To be safe:

Strip before sending to any third party:

• IP addresses (or anonymize to the first two octets)
• Full page URLs if they contain health information
• User IDs that could be linked back to patient records
• Form inputs, search queries, or any text the user types
• Any metadata that reveals the type of care being accessed

Safe to keep in privacy-first tools:

• Aggregate page view counts (without user identification)
• Device type, browser, and screen resolution
• Referral source (where they came from)
• Country or region level location (not precise geolocation)
• Conversion events stripped of health context ("signed up" is fine, "signed up for addiction counseling" is not)

The Real Cost of Doing Nothing

Kaiser paid $46 million. But Kaiser has $95 billion in revenue. They'll survive.

For a startup with $2 million in seed funding, a HIPAA tracking violation doesn't result in a $46 million fine. It results in something worse: an OCR investigation that drains your legal budget, a corrective action plan that consumes your engineering team for months, and the loss of trust from healthcare customers who learn you were sending their patients' data to Facebook.

HIPAA penalties now range from $145 per violation for unknowing violations up to $2.19 million for willful neglect. Each pageview where a tracking pixel fires without a BAA is arguably a separate violation. If you have 10,000 patient sessions per month, the math gets uncomfortable fast.

And it's not just OCR. State attorneys general have had HIPAA enforcement authority since the HITECH Act of 2009, and they can bring cases alongside their own consumer protection laws. The Kaiser settlement itself was a state-level class action, not an OCR enforcement action. One incident can trigger parallel federal and state investigations.

The fix takes a week. The consequences of not fixing it can take years to resolve.