Your Website Is Probably Leaking Patient Data to TikTok and Meta.

Open your practice website in a private browser tab. Navigate to your contact form. Right-click anywhere on the page, choose Inspect, and click the Network tab in the panel that opens. Reload the page. Now look at the URLs scrolling past — the outbound requests your browser is making. Filter for "facebook," "tiktok," "google," "snap," "linkedin," "doubleclick," or "googletagmanager." Count the matches.

Every match is a tracking pixel sending information to that ad network's servers — what page the visitor is on, what they clicked, and depending on configuration, more.

Last week Bloomberg News confirmed that nearly all twenty state-run health insurance exchanges in the United States, plus the District of Columbia, have those exact trackers embedded on applicant-facing pages. The Washington state exchange was sending applicants' sex and citizenship responses to TikTok. Virginia's premium estimator was sending ZIP codes to Meta. New York's marketplace was sharing pages visited during enrollment — including pages where applicants disclosed having incarcerated family members — with TikTok, Meta, Snap, and LinkedIn. More than seven million Americans bought health coverage for 2026 through these sites. Their personal information leaked to ad networks the entire time.

The state exchanges didn't intend it. The trackers were installed by marketing teams, by contracted web vendors, by configuration choices made years earlier and never re-examined. Bloomberg reviewed thousands of enrollment pages with the privacy firm Feroot. In testing, a journalist's Facebook account was tied to visits across ten of the exchanges and could be retargeted with ads based on those visits. The leakage isn't theoretical — it's how the underlying ad infrastructure works by design.

One important detail: Healthcare.gov, the federal exchange used by the other thirty states, does not embed these specific trackers. This is a state-level configuration problem, not a federal one. Which is exactly the situation your independent practice is in. There's no enterprise security team auditing your website. The configuration choices are yours, and they probably stopped being examined right after you stopped paying attention to the Facebook ad campaign that prompted the pixel install in the first place.

Your practice site is the same problem in miniature.

Most independent practitioners have a website that someone — a developer, an agency, a marketing consultant — set up sometime between 2019 and now. Somewhere along the way, that someone dropped in tracking pixels: a Meta Pixel for Facebook ads, a Google Ads conversion tag, maybe a TikTok pixel during a 2024 healthcare-adjacent campaign, possibly a LinkedIn Insight tag if you were recruiting clinicians. Each pixel was installed for a reasonable marketing purpose. None of them came with a written-down decision about which pages they could and could not fire on.

The pixel doesn't care. It fires on every page it's deployed to. If your developer installed it via Google Tag Manager and left the "All Pages" trigger active, it fires on your homepage and on your patient intake form alike. If it fires on your intake form, it sends to Meta or Google or TikTok: the URL of the form (often containing "intake" or "new-patient"), the referrer (which page the visitor came from), any URL parameters (which may contain identifying tokens), and depending on configuration, the contents of form fields the visitor typed before submitting.

The 2024 Texas district court ruling in AHA v. Becerra pulled HIPAA's regulatory hook out from under most of OCR's pixel-tracking enforcement appetite. That mattered. But it didn't make the underlying problem go away. And it didn't touch the parallel exposure that lives in state consumer health data laws — Washington's My Health My Data Act, Connecticut's Data Privacy Act, the under-construction New York Health Information Privacy Act — or in the still-active class action bar, where the plaintiff firms that filed dozens of pixel-tracking suits in 2023 and 2024 are still filing today under different statutes.

The operational gap, in one sentence: most independent practices have tracking pixels installed that they do not know are firing, on pages they do not know are sensitive, sending data to companies they did not contract with for that purpose.

That's not a HIPAA conclusion. That's an operational fact about how the modern marketing-tech stack works on small-business websites.

The Vault's FTC Pixel Audit Walkthrough exists to close exactly that gap. It does five things, in order. First, it walks you through identifying every tracking pixel on your site — not just the ones you remember, the ones actually deployed. The walkthrough covers Google Tag Manager (where most pixels actually live, even if you think they live somewhere else), direct pixel installations in the page header, and pixels installed via plug-ins or third-party widgets (chat tools, online scheduling embeds, review platforms — all common pixel-carrier vectors). Second, the walkthrough has you map every patient-facing page on your site: intake forms, scheduling tools, contact forms, patient portal login links, telehealth entry points, "find a provider" tools, anywhere a patient identifies themselves or selects a service. Third, for each pixel × page combination, the walkthrough gives you configuration options — disable on patient pages via tag manager rules, restrict to first-party data only, remove entirely, or for cases where you legitimately need conversion tracking on a thank-you page, switch to server-side or privacy-preserving alternatives. Fourth, the walkthrough generates a documented audit you save: which pixels existed, which pages they fired on, which configurations you changed, when, and why. Fifth, it gives you a quarterly recurrence cadence so the audit doesn't decay the moment you switch ad platforms or hire a new web developer.

This is the same protocol Brad runs in Operational Advisory Sessions when a practice owner says "I'm not sure what's on our site." The Vault version is self-serve.

This week, three steps.

One. Tonight, do the network-inspector exercise on your contact form page (10 minutes). Note which pixels surprise you. Most practices will find at least one — but if yours doesn't, document that fact and move on.

If you'd rather skip the dev-tools step, Apex Vault offers a free pixel scanner for small and midsize healthcare practices. Paste your URL, get an on-screen report showing which trackers are firing on the page. (Disclosure: Apex Vault is a separate company I founded.)

Two. This week, map your patient-facing pages and check each one the same way (30–60 minutes). Build a two-column list: page name, pixels fired. If your developer or web platform doesn't allow page-level pixel rules, that's information in itself — it means the audit choice is "remove the pixel entirely" rather than "disable on patient pages."

Three. Before next Monday, make the configuration changes and document them. If a plaintiff firm or state attorney general ever asks what your site was sending to Meta, the document is the answer.

The Encrypted Chart Vault includes the FTC Pixel Audit Walkthrough — calibrated for independent practice, not enterprise ad ops. National edition $299. NY edition $349 adds SHIELD Act and state-specific addenda. Bloomberg confirmed last week what an audit would tell you about your own site. The audit is faster than waiting for the question to come from someone less friendly.

Brad