Client Advisory · Tracking-Technology Exposure · Substance Use Treatment

What every treatment center needs to know about the tracking pixels on their website

A plain-language guide to the lawsuits, settlements, and federal rules that affect substance use disorder treatment centers running advertising pixels on their websites. Prepared by your marketing agency to help you make informed decisions about your digital presence.

The Landscape

Settled So Far

$152M+

Healthcare tracking-pixel settlements 2022–2026

Hospitals Using Third-Party Pixels

66%

Peer-reviewed Rutgers study, PNAS Nexus 2026

Increased Breach Risk

46%

Higher breach probability with third-party pixels

What the numbers mean

Two out of three hospitals run the same tracking tools your treatment center likely runs. Those hospitals are almost 50% more likely to be involved in a data breach.

A peer-reviewed study from Rutgers University (published in PNAS Nexus, May 2026) analyzed 12 years of data from 1,201 hospitals. The finding: third-party tracking pixels — the same tools that power Meta ads and Google Analytics — are the single largest contributor to unintended data disclosures in healthcare. First-party analytics (where you control the data and it never leaves your systems) show no increase in breach risk. The technology itself is not the problem. Sending the data to outside companies is.

Filing rate. An analysis by the law firm Troutman Pepper tracked 197 federal wiretap complaints filed between September 2025 and March 2026 — a rate two to four times higher than the same period the prior year. The plaintiff bar has a formula, and it is working. Treatment centers are among the industries facing the fastest-growing exposure.

What Makes Treatment Centers Different

The Part 2 Problem

Substance use disorder treatment records carry stricter federal protections than standard medical records. Most treatment centers do not realize their website tracking violates those protections.

Under a federal rule called 42 CFR Part 2, substance use disorder treatment records are protected even more strictly than regular HIPAA-protected health information. Part 2 was originally written to encourage people to seek treatment without fear that their records would be shared with employers, insurers, or law enforcement.

What this means for your website: When a prospective patient visits a treatment center's website and views pages like /detox, /rehab, /treatment, /addiction, or /suboxone, the URL itself reveals they are seeking substance use treatment. If a Meta Pixel or Google Analytics tag is running on that page, it transmits that URL — along with the visitor's IP address and device information — to Facebook or Google servers. Under Part 2, that transmission is an unauthorized disclosure of substance use treatment information to a third party who has no right to receive it.

This is not just a HIPAA problem. This is a HIPAA problem plus a Part 2 problem plus a state-law problem. Treatment centers carry more layers of legal exposure than almost any other type of healthcare provider.

Treatment centers face five layers of legal exposure from a single tracking pixel:

42 CFR Part 2 — Substance Use Confidentiality
Strictest
HIPAA — Health Information Privacy
Federal
State Consumer Health Privacy (e.g., WA MHMDA)
State CHP
State Wiretap Statutes (e.g., CIPA, IL Eavesdropping)
State
FTC Act / Health Breach Notification Rule
Federal

Why the stacking matters. A standard healthcare provider might face two or three of these layers. A substance use treatment center faces all five simultaneously. Each layer has its own enforcement mechanism — some through private lawsuits, some through state attorneys general, some through federal agencies. A single tracking pixel on a single page can trigger liability under all five at once.

How Treatment Centers Get Sued

Layer 1 · 42 CFR Part 2

Substance use records disclosed without specific written consent

Part 2 requires specific written consent before SUD treatment information can be shared with anyone — even other healthcare providers. There is no exception for analytics platforms or advertising networks. When a pixel transmits a URL like /addiction-treatment along with a visitor's IP address to Facebook, that is a disclosure Part 2 prohibits. The consent forms your clients currently use for treatment intake do not cover advertising analytics.

Layer 2 · HIPAA

Protected health information sent to a company without a Business Associate Agreement

Meta and Google are not your clients' business associates. There is no BAA between a treatment center and Facebook covering the Meta Pixel. When the pixel fires on a patient-facing page, HIPAA-protected information (IP address combined with health-intent URL) goes to a company with no contractual obligation to protect it. This is the same fact pattern that produced the $46 million Kaiser Permanente settlement in 2025.

Layer 3 · State Health Privacy Laws

Washington, Nevada, Connecticut, and more are passing laws specifically about health data

Washington State's My Health My Data Act treats the transmission of health data to an advertising platform as a "sale" of consumer health information — and requires a specific written authorization that no website visitor has ever signed. If your clients' treatment center serves anyone in Washington State (even via telehealth), this law applies. Nevada and Connecticut have similar statutes. More states are following.

Layer 4 · State Wiretap Laws

Recording what someone does on a website without their real consent

In California, Illinois, Massachusetts, Pennsylvania, Florida, and other states, intercepting someone's online activity and sending it to a third party can be treated as wiretapping. The largest healthcare settlement to date — Kaiser Permanente at $46 million — was brought primarily under California's wiretap statute. A cookie banner or terms-of-service page does not provide the kind of consent these statutes require.

Layer 5 · FTC Enforcement

The federal government is actively pursuing healthcare companies for tracking-pixel violations

The Federal Trade Commission has already settled enforcement actions against three behavioral-health platforms for sharing patient data through tracking pixels: BetterHelp ($7.8 million), Cerebral ($7 million), and Monument ($2.5 million). Monument is an alcohol-use-disorder platform — directly analogous to substance use treatment centers. In each case, the company promised in its privacy policy not to share health data for advertising, but the pixels did exactly that. The FTC has made clear that mental health and substance use treatment are enforcement priorities.

What Your Clients Need to Know

Current as of June 2026

The docket is moving faster than most treatment centers realize. Here are the developments that matter right now.

California Supreme Court lowers the bar for lawsuits (May 14, 2026). In a unanimous ruling, the California Supreme Court held that plaintiffs do not need to prove their health data was actually viewed by an unauthorized party. It is enough to show the data was exposed to a "significant risk of unauthorized access." This makes it easier to sue any healthcare company running third-party pixels in California.

First lawsuits against health insurers (May 2026). A major plaintiff firm filed four simultaneous class actions against Humana, Cigna, Elevance Health, and Blue Cross Blue Shield of Michigan for tracking-pixel data harvesting. The docket has now expanded from hospitals and providers to insurers — treatment centers that accept insurance from these companies should pay attention.

First Big Pharma class action (March 2026). A breast-cancer patient sued Novartis for tracking pixels on branded drug websites. This signals the docket is reaching every corner of healthcare, not just hospitals.

Appellate decision pending that could reshape the entire landscape. The First Circuit Court of Appeals heard oral argument in April 2026 on whether website operators face federal wiretapping liability for using tracking tools. A decision is expected mid-2026 and will affect every healthcare provider in the country.

Cases That Set the Benchmark

These are the settlements and enforcement actions that define the financial reality. Treatment centers are in the same category as these defendants — the same tracking tools, the same legal theories, the same plaintiff firms.

Who was sued	Category	Settlement	What happened
Kaiser PermanenteCalifornia · Dec 2025	Health system	$46.0M	Meta Pixel on patient portal transmitted patient names, appointment data, and search terms to Facebook. Largest healthcare tracking settlement on record.
Adena Health SystemOhio · 2026	Regional nonprofit	$17.8M	Meta Pixel and Google Analytics on patient portal. 89,000 patients. Approximately $200 per affected patient — one of the highest per-person settlement rates.
BetterHelpFTC enforcement · 2023	Mental health	$7.8M	Meta Pixel transmitted users' mental-health intake answers (anxiety, depression, suicidal ideation) to Facebook for ad targeting. Permanent ban on health-data sharing.
CerebralFTC enforcement · 2024	Mental health	$7.0M	Meta Pixel and TikTok pixel disclosed mental-health information of 3.2 million users. Permanent ban. Tied to stimulant-prescribing controversies.
MonumentFTC enforcement · 2024	Alcohol use disorder	$2.5M	Alcohol-use-disorder treatment platform disclosed substance-use treatment data to Meta and Google via pixels. Directly analogous to residential rehab and SUD treatment centers.
GoodRxFTC + DOJ · 2023	DTC pharmacy	$1.5M	First-ever FTC Health Breach Notification Rule enforcement. Facebook Pixel shared medication data for advertising. Falsely displayed HIPAA seal on website.
Shields Health Care GroupMassachusetts · 2024	Health system	$15.35M	Imaging-services provider. Meta Pixel on appointment and portal pages. Massachusetts wiretap statute + consumer protection (treble damages).
Advocate Aurora HealthWisconsin · 2024	Health system	$12.3M	Self-disclosed Meta Pixel breach affecting 3 million patients. The case that started the wave in 2022.
Duke University Health SystemNorth Carolina · 2026	Academic med center	$3.74M	Pixels on MyChart patient portal AND mobile app. 872,634 affected patients. Both web and app tracking vectors addressed.
Premom (Easy Healthcare)FTC + 3 state AGs · 2023	Health app	$200K	Ovulation and menstrual data shared with China-based companies via SDKs. First case where device identifiers (IMEI) were ruled identifiable health information.

Why Monument matters most for your clients. Monument is an alcohol-use-disorder telehealth platform — the closest publicly-settled analog to a substance use treatment center. The FTC found that Monument shared substance-use treatment data to Meta and Google for advertising despite privacy-policy promises. Every residential rehab, detox, IOP, and MAT clinic running Meta Pixel on treatment pages faces the same fact pattern. The FTC has stated explicitly that substance use treatment is an enforcement priority.

Your Website Right Now

If your treatment center's website has any of these URL paths AND runs a Meta Pixel, Google Analytics, Google Ads tag, or TikTok Pixel, the tracking tool is transmitting information about what the visitor is looking for to an advertising platform:

/treatment
/detox
/rehab
/addiction
/recovery
/suboxone
/methadone
/alcohol-treatment
/opioid-treatment
/mental-health
/intake
/verify-insurance

What the pixel sends

Every page view transmits data to an outside company

When someone visits yourfacility.com/opioid-treatment, the Meta Pixel sends Facebook: the full URL (revealing what condition they are researching), their IP address (revealing approximate location), a device fingerprint (identifying the specific phone or computer), and a cookie that links this visit to their Facebook account. Google Analytics sends similar data to Google. Neither company has a Business Associate Agreement with your treatment center. Neither is authorized under Part 2 to receive this information.

What a consent banner does not fix

Cookie banners and privacy policies do not cure this problem

A cookie consent banner addresses general data-collection preferences. It does not meet the specific written consent required under 42 CFR Part 2 (which requires naming the specific recipient and specific data being shared). It does not constitute a "Valid Authorization to Sell" under Washington State's MHMDA (which requires naming the buyer, the data, the purpose, and providing a 1-year expiration with right to revoke). The banner is legally irrelevant to the claims plaintiff firms are bringing.

What You Can Do Now

These are concrete steps your treatment center can take to understand and begin addressing tracking-pixel exposure. None of these are legal advice — consult counsel for your specific situation.

Audit your website for tracking pixels

Open your website in a browser, right-click, select "View Page Source," and search for fbq( (Meta Pixel), gtag( (Google Analytics/Ads), GTM- (Google Tag Manager), or ttq. (TikTok Pixel). If any of these appear on pages where patients research conditions, schedule appointments, verify insurance, or access portals, your treatment center has the same exposure profile that drove the settlements listed above.
Check your Business Associate Agreements

Ask your compliance officer or administrator: do we have a signed BAA with Meta (Facebook) or Google covering the tracking pixels on our website? The answer for virtually every treatment center is no. Without a BAA, transmitting any protected health information to these companies is a HIPAA violation. For SUD treatment centers, it is also a Part 2 violation.
Review your 42 CFR Part 2 consent forms

Your intake consent forms likely authorize sharing treatment records with specific providers, insurers, or family members. They almost certainly do not authorize sharing website browsing data with Meta Platforms, Inc. or Alphabet Inc. (Google) for advertising purposes. Part 2 consent must name the specific recipient, the specific information being shared, and the specific purpose. Generic website terms-of-service do not satisfy this requirement.
Ask what your analytics platform sends to third parties

If your marketing agency manages your website analytics, ask them directly: what data leaves our website and goes to a company we do not have a BAA with? The answer should be "nothing." If the answer includes Meta, Google, TikTok, or any other advertising platform, your treatment center has exposure that needs to be addressed before a plaintiff firm discovers it.
Talk to a compliance infrastructure provider

The solution is not to stop running analytics or stop advertising. It is to change the architecture so that useful analytics data stays inside your treatment center's own systems and never reaches a third-party advertising platform. Private, self-hosted analytics platforms exist that give you the same visitor insights, conversion tracking, and marketing attribution — without any data leaving your environment. The settlement math is straightforward: remediation costs a fraction of what defense and settlement cost.

Compliance Infrastructure Partner

APEX VAULT.

Apex Vault provides compliance infrastructure for healthcare organizations. The architecture replaces third-party tracking pixels with private, self-hosted analytics and sanitized conversion signals — preserving marketing attribution while preventing health data from reaching outside advertising platforms.

Learn more at apexvaultcompliance.com →