Kaiser Permanente Agrees to Pay Up to $47.5 Million to Settle Web Tracker Litigation

As one recent article puts it, this case is “a loud alarm … about how the intersection of digital marketing strategies and patient privacy can lead to massive liability,” but it’s not the first.

Over the last three years, more than 200 class-action lawsuits have been filed against U.S. healthcare providers for the same issue: third-party tracking pixels, tags, and analytics scripts quietly leaking protected health information from patient portals and public websites.

No ransomware. No hacked servers. Just “normal” marketing tech doing what it was built to do, send data to Meta, Google, Bing, and other vendors, but from logged-in pages where patients search for cancer symptoms, book appointments, or message their doctors (something that the Reflectiz privacy dashboard would have flagged). 

That’s why the settlement scoreboard for recent years reads like a horror movie for compliance officers:

Kaiser Permanente – up to $47.5 M (pending final approval) 

• Aspen Dental – $18.5 M
• BJC HealthCare – $9.25 M 
• Mount Sinai – $5.3 M 
• Henry Ford Health, Eisenhower Health, Marin Health, University of Rochester Medical Center, Mammoth Hospital… the list keeps growing.

The average settlement? Somewhere between $2 M and $18 M, plus years of reputational damage and forced portal redesigns.

We first covered Kaiser’s breach in May 2024. Here is how it unfolded.

What happened at Kaiser (and why it got into trouble)

Between at least 2017 and 2024, standard trackers (Meta Pixel, Google Analytics, Bing, Hotjar, etc.) were embedded across Kaiser’s website and mobile app, even on authenticated pages. Because those users were logged in, their activity was tied to identifiable patient accounts, meaning every search or click could constitute a PHI disclosure. Every time a member searched the health encyclopedia for “stage 4 lung cancer” (for example) or viewed a lab result, those actions, plus IP address, device ID, and, in some cases, information that could be linked back to a specific member, were flowed to third parties.

Since patients use portals to access health-related information, and HIPAA sets strict rules on PHI disclosures, many of those tracking codes were effectively sending PHI (or data qualifying as PHI) to third-party vendors, likely without appropriate consent or vendor agreements. Once that became known, first via an internal review, then by breach-reporting, class-action lawsuits quickly followed, alleging negligence, unlawful data sharing, invasion of privacy, and multiple violations of state and federal privacy laws.

Rather than run a years-long legal battle with unpredictable outcomes, Kaiser opted to settle, offering up to $47.5 million (depending on final agreement conditions) to resolve the claims.

Putting it simply: this wasn’t a “hack” or ransomware; it was a compliance and privacy-governance failure of the kind that Reflectiz’s privacy dashboard is designed to catch. It happened because there was a collective underestimation of how “normal marketing/tracking tech” behaves when used in a regulated-health context, particularly on patient-facing portals.

No harm done

While Kaiser maintains the data exposure was limited and shows no evidence of misuse, the $47.5M settlement itself demonstrates the severity of crossing compliance boundaries.

For its part, the company denies any wrongdoing or liability (which is standard in settlements of this nature). It also pointed out that it removed the offending technologies from its websites and mobile applications and informed members about the incident in 2024.

It maintains that the data put at risk was limited (e.g., only IP addresses, login indicators, navigation patterns, and search terms were shared, not full medical records) and that there’s no evidence of it being misused.

While this is all true, reframing the fallout from an explosion isn’t the point. The explosion is. Whether due to missing monitoring capabilities, inadequate internal controls, or both, compliance boundaries were crossed, and the question a lot of people are asking in the wake of this huge settlement is, why? Given that almost 99% of health systems use online tracking tools, and most will likely be using some form of threat management, why have there been 200 lawsuits and counting?

The gap between having tools and using them effectively

Tools like Reflectiz are specifically designed to address the kind of third-party/tracking-component risks that got Kaiser and others in trouble:

• Reflectiz offers continuous monitoring of all third-party (and even fourth-party) scripts, tags, pixels, iframes, etc., giving visibility into what external code is running on web properties, and what data is being collected or exfiltrated.
• It does this remotely, without embedding additional code, so there’s no need to modify the site’s production code to monitor effectively.
• It also provides risk alerts, behavioral analysis, compliance reporting, JavaScript deobfuscation, and exposure rating tools, making it easier for security and compliance teams to spot unwanted data flows or privacy violations early.
•  It catches when practices don’t match policies.
• It detects unauthorized marketing or analytics tools operating outside of privacy oversight.

In many ways, Reflectiz could have acted as an early warning system, catching “sneaky pixels” before they passed patient data to third parties, helping Kaiser avoid the breaches that triggered the legal action.

However, some real-world frictions can prevent proper usage. While Reflectiz can be up and running in a matter of hours, it isn’t the kind of solution that you can set and forget, and it doesn’t just belong to security teams, because in a risk-aware organization (the kind that avoids privacy lawsuits), security is collaborative. Part of the problem, though, is that not every organization works like that.

Organizational silos

As analysts have noted in the aftermath of Kaiser’s breach, in many health organizations, there is often a structural disconnect between the marketing departments and web development teams who add analytics and tracking scripts, and the compliance/security teams who should approve them.

For many companies, web-tracking (analytics, conversion tracking, marketing) is seen as a commercial/marketing asset, not a risk, until something goes wrong. Tools like Reflectiz help collapse these silos by giving marketing, development, and compliance teams a shared, continuous view of all web-facing digital assets, something traditional security tooling such as WAFs rarely provides.

Regulatory ambiguity (at least historically)

While regulations like HIPAA do restrict PHI disclosures, the precise “rules” have sometimes been murky, leaving organizations uncertain about exactly what is and isn’t allowed. The DOJ and OCR attempted to clarify the issue around client-side analytics and pixels in 2022–2023, noting that in certain contexts, using some analytics tools may amount to a PHI disclosure. But this guidance collided with years of industry practice in which such tools were considered routine and low-risk, and it arrived after most tracking systems were already deeply embedded across healthcare portals.

So, some health systems were assuming they were safe when they weren’t. Combine that with a lack of real-time visibility into what their web trackers were actually doing, something only specialized monitoring platforms can realistically provide at scale, and the stage was set.

Pairing monitoring tools with good governance

But even when rules are understood, and modern monitoring tools are in place, they cannot compensate for weak oversight structures. Even a robust monitoring tool has limits and doesn’t replace good governance, here’s why:

 Monitoring ≠ prevention: Tools like Reflectiz detect unwanted or suspicious code, but they don’t automatically “block” or remove those scripts. Unless there is a policy and a human process to act on alerts, detection may come too late or not fix the problem.

User-consent and legal context still matter: For a healthcare provider covered by HIPAA or similar laws, it’s not enough to just “spot” that a pixel is leaking data. The organization may still need to ensure explicit consent, vendor agreements, or completely avoid certain third-party tags, regardless of detection.

Supply-chain complexity and dynamic changes: Modern websites, especially for big organizations, load dozens or even hundreds of third-party components (analytics, ad-servers, CDNs, embedded widgets). Even with continuous monitoring, it’s a major effort to review and approve every component, especially as third-party vendors update their code dynamically.

Governance and accountability: The root problem at Kaiser wasn’t just a “bad pixel,” but that tracking tech was allowed to be embedded in patient-portal pages, probably because no one in compliance/security had a full overview or veto power over marketing/web teams. Tools help, but only in a culture with processes that ensure oversight and accountability.

What Kaiser’s case teaches,  and how organizations should approach digital-privacy/compliance

Think of tracking tools not just as “marketing helpers” but as potential compliance liabilities, especially in regulated industries.

• Adopt comprehensive third-party-component monitoring (tools like Reflectiz), plus enforce strict processes: any new web component/tag must pass compliance review before being permitted.
• Establish internal governance bridges between Marketing, Web-Dev, and Security/Privacy teams, so decisions around analytics or tracking cannot bypass compliance oversight.
• Have a robust audit log and accountability framework: Who added the code? Why? What data flows? What third-party partners get that data? And ensure that the logging and reporting schedule is regular.
• Build an organizational culture around data privacy and regulatory compliance, rather than the “it’s just marketing” mindset.

Bottom Line: Reflectiz can help, but organizational culture matters

We aren’t privy to the internal culture of any health service, but we can speculate that those facing litigation would likely benefit from exploring the issues we’ve discussed.

Investing in a CTEM solution is more than repaid when it helps the company avoid fines, lawsuits, and reputational damage. For it to be effective, though, health systems must also embrace a necessary shift in mindset: in the digital age, marketing and risk management are now two sides of the same coin.

Kaiser’s case and many others prove that in modern healthcare, web-tracking oversight isn’t optional; it’s a core compliance requirement. Reflectiz gives organizations the visibility they need, but leadership must supply vigilance.

Learn how Reflectiz prevents third-party tracking violations → Try Now