COMMUNIQUÉ DE PRESSE

Piwik PRO and Verified Data Study Finds Hidden Compliance Risks on US Hospital Websites

Wroclaw, Poland, July 2nd, 2026, FinanceWire


A joint study by Piwik PRO and Verified Data scanned 59 major US hospital and clinic websites for tracking, consent and data compliance. Findings reveal widespread compliance risks across major U.S. healthcare websites, exposing hospitals and clinics to growing legal, regulatory and reputational risk. 73% of websites scanned were running advertising or marketing trackers despite active privacy opt-out signals. 

The findings from the HIPAA-ready analytics platform Piwik PRO and the digital analytics consultancy Verified Data suggest that the reason may lie in the widespread adoption of standard marketing and analytics tools that were designed to optimize traffic and advertising performance, not to meet the requirements of regulated healthcare environments.

What the study found:

  • 73% of scanned websites had advertising or marketing trackers running despite visitors enabling the Global Privacy Control (GPC) opt-out signal.
  • 69% were using marketing or advertising cookies – a strong indicator of data being routed to third-party ad platforms.
  • Researchers identified 75 unique tracking tools across the scanned websites, including Google Analytics, Meta Pixel, Microsoft Advertising and session replay technologies.

A compliance problem hidden in plain sight 

The report comes amid intensifying scrutiny of healthcare data practices in the United States. Between 2023 and 2025, healthcare organizations paid more than $100 million in HIPAA-related settlements tied to tracking technologies and alleged improper disclosures of patient-related information, according to the study.

"This isn’t a story about reckless marketers or bad intentions. Healthcare organizations often inherit their analytics setup rather than actively choose it. Google Analytics became the default for many because it was free, established and widely understood. The challenge today is scope creep. What began as website analytics has evolved into broader behavioral ad targeting platforms. In regulated sectors such as healthcare, that creates greater compliance risk and requires much closer scrutiny of how data gathering tools are configured and governed. "- said Brian Clifton, founder of Verified Data and digital analytics and privacy expert

The study did not attempt to determine if protected health information (PHI) was actually transmitted. Instead the scans looked for the presence and behavior of tracking scripts, cookies, advertising pixels and consent systems. Still, the findings paint a disturbing picture for healthcare marketers trying to balance performance goals with strict privacy obligations.

The close numbers of active advertising or marketing trackers (73%) and marketing cookies placed (69%) indicate that some tracking technologies were functional without cookies and traditional cookie-blocking measures were not effective to prevent data exposure. 

Patients expect that their health-related behavior stays private when they visit a hospital website. “Meeting that expectation is entirely possible with the right setup - and organizations that get there aren’t just reducing their legal risk. They’re building something more valuable: a digital presence their patients can actually trust. - said Magdalena Pawlitko, Head of Global Sales at Piwik PRO.

Traditional adtech creates risk in healthcare 

Standard advertising technologies are often structurally incompatible with healthcare compliance requirements by sending behavioral data to third-party platforms not operating under healthcare business associate agreements (BAAs). The solution is not to stop doing digital marketing but to update the core marketing infrastructure to be built around privacy, consent governance and first-party data collection. 

The organizations we work with aren’t starting from zero. They’ve got years of marketing data, established campaign structures and teams that know what they’re doing. The goal isn’t to tear that down, but to rebuild the infrastructure underneath it so the data they’re collecting is actually usable long-term, without crossing any privacy lines. - said Patryk Stoch, Business Development Manager at Piwik PRO.

Six-step path forward for healthcare organizations on how to avoid compliance risks:

  1. Audit current tracking and tagging setups.
  2. Remove advertising pixels from health-related pages.
  3. Fix consent enforcement at the tag-management layer.
  4. Migrate to analytics platforms that support healthcare compliance requirements and BAAs.
  5. Activate first-party patient data compliantly.
  6. Treat compliance as an ongoing operational process rather than a one-time review.

The full report, Healthcare Website Tracking Report 2026: Are Healthcare Marketers One Audit Away from a Compliance Crisis?, is available here: https://piwik.pro/healthcare-website-tracking-report-2026/ 

About Piwik PRO

Piwik PRO helps data-sensitive organizations turn clean, compliant behavioral data into faster decisions, stronger marketing performance, and real-time customer activation. The platform combines analytics, tag management, consent management, and data activation while giving teams full control over their data. 



Contact
Tomasz Borowski
t.borowski@piwik.pro


Disclaimer. This is a paid press release.