The 5 ways your hospital's website is probably leaking patient information right now

The five leaks below are the ones that show up most often when we scan healthcare sites. Any one of them can become an OCR investigation, a state attorney general action, or a class action.

1. Tracking pixels on clinical pages

A tracking pixel is a tiny piece of code from Meta, Google, TikTok, LinkedIn, or another ad platform. It sits on your website and tells the ad platform every time someone visits a page. On a marketing page, that's normal. On a page about cancer treatment, breast surgery, or addiction recovery, it's a problem.

The HHS Office for Civil Rights (OCR) said in December 2022 — and again in March 2024 — that an IP address combined with a clinical-context URL counts as protected health information (PHI) when a covered entity collects it. That's the basis for the Advocate Aurora $12.25M settlement, the Novant Health class action, and the federal MDL against Meta with 664-plus hospital systems identified.

A federal court (the Northern District of Texas) carved out part of the OCR position in June 2024 in AHA v. Becerra. The carve-out covers generic marketing pages where a visitor’s intent is unclear. It does not cover condition pages, find-a-doctor pages, scheduling flows, or anything inside a logged-in portal.

2. Scheduling widgets and intake forms without a BAA

Calendly's free plan does not include a Business Associate Agreement (BAA). Neither does Typeform's standard plan, JotForm's basic plan, or Google Forms. Acuity, SimplePractice, and Zocdoc all have HIPAA-eligible tiers, but most of the embeds we see in the wild are on the cheaper plans.

The widget vendor sees the patient's name, contact information, and reason for visit. Without a signed BAA, that's an unauthorized disclosure under 45 CFR §164.504(e). MMG Fusion, a dental software vendor, settled with OCR in March 2026 for $10K plus a three-year corrective action plan after exposing 15 million patient records through this kind of arrangement.

3. Session-replay scripts on intake forms

Hotjar, FullStory, Microsoft Clarity, and LogRocket record what users do on your website. They capture mouse movements, clicks, scrolls, and — if you don't configure them carefully — what users type into forms before they submit, including data they later delete.

Microsoft Clarity is free, which means there's no BAA. Hotjar and FullStory have BAAs but only on enterprise tiers. Most of the deployments we see are on the free or self-serve plans.

The legal exposure is two-layered. First, it's a potential HIPAA disclosure if the form was on a clinical page. Second, it's a potential wiretap claim under California's Invasion of Privacy Act, Pennsylvania's WESCA, or similar state laws. The plaintiffs' bar has filed more than 4,000 of these wiretap class actions and demand letters since 2022. The statutory damages are $5,000 per violation in California.

4. Exposed dev files

Files like `.env`, `.git`, and old database backups sometimes get left on production web servers by accident. They contain database passwords, API keys, and cloud credentials. Anyone who knows the file name can fetch them with a browser.

A 2024 extortion campaign found `.env` files exposed on roughly 110,000 domains, harvested 90,000 environment variables, and used the credentials to break into AWS accounts. The OCR Risk Analysis Initiative — 12 enforcement actions in 2024 and 2025 — has cited this kind of exposure as evidence that the practice never did a real risk assessment, which is a separate violation under 45 CFR §164.308(a)(1)(ii)(A).

5. Patient-portal subdomains running the marketing-site trackers

The biggest pixel-related settlements weren't about the marketing site. They were about the patient portal. The Markup found Meta Pixel inside MyChart-integrated portals at 7 of the top 100 U.S. hospitals in June 2022. Advocate Aurora's $12.25M settlement covered the portal too.

The login page of a portal is technically public, so it's easy to overlook. But scripts loaded on the login page often persist after login. Anything that fires on `mychart.yourhospital.org` is operating in the most regulated context HIPAA covers, and most hospitals don't even know what's running there.

What to do about it

Run a scan of your public-facing site and your patient-portal subdomain. If you find any of the five issues above, document what you found, when you found it, and your remediation plan — that documentation is what OCR will ask for first. Then start with the highest-risk surface (anything on the patient portal), get the BAAs you should already have, and remove the trackers that don't belong.

We do this scan automatically. If you want to see what’s on your site without filling out a form, the free tier covers the first scan.