Feroot finds 96% of healthcare sites
- Feroot Security is promoting a healthcare privacy warning built around third-party website trackers, while a 2024 JAMA Network Open study found 96 of 100 U.S. hospital websites sent visitor data to outsiders. - The study’s most concrete gap was disclosure: 71 hospital websites had privacy policies, but only 40 named the specific third parties receiving data, and hospital sites sent data to a median nine domains. - The issue sits inside a broader HIPAA fight over pixels, analytics tags, and session-replay tools on health sites after federal guidance and a 2024 court ruling narrowed part of it. (hhs.gov)
A hospital website can load outside code the way a page loads ads or analytics, and that code can send visitor data to other companies. A 2024 JAMA Network Open study found 96 of 100 nonfederal acute care hospital websites did exactly that. (jamanetwork.com) Those outside tools are usually pixels, cookies, analytics tags, or session-replay scripts. Feroot says those scripts can touch data such as Internet Protocol addresses, medical record numbers, email or home addresses, and appointment dates when they run on healthcare pages. (feroot.com) The JAMA study examined hospital websites between November 2023 and January 2024. It found 71 sites had privacy policies, 66 said what categories of third parties got data, and 40 named the specific companies receiving it. (jamanetwork.com) (ncbi.nlm.nih.gov) The same study found hospital websites transferred user information to a median of nine outside domains. The third parties cited in coverage included Meta, Google, LinkedIn, and Snapchat. (hipaajournal.com) (beckershospitalreview.com) The legal question is whether the data being sent counts as protected health information under the Health Insurance Portability and Accountability Act, or HIPAA. The Department of Health and Human Services says HIPAA applies when tracking tools collect or disclose protected health information, and marketing disclosures without proper authorization are not permitted. (hhs.gov) That guidance has shifted in court. HHS says a federal judge in Texas on June 20, 2024, vacated the part of the agency’s online-tracking guidance that treated an Internet Protocol address plus a visit to an unauthenticated public health webpage as enough, by itself, to trigger HIPAA obligations. (hhs.gov) Feroot has tied that debate to a pitch for continuous compliance tools rather than one-time reviews. Its current product pages say organizations still rely on point-in-time audits and manual reviews, while its platform continuously scans websites and apps, enforces consent behavior, and generates audit trails. (feroot.com 1) (feroot.com 2) Feroot has made similar healthcare claims before. Its August 20, 2025 webinar page said third-party tracking technologies were collecting patient data on 95% of healthcare websites and argued that traditional security tools and manual reviews miss the problem. (feroot.com) The underlying problem is simple even if the tooling is not: a hospital can publish a page for appointments, oncology, or billing, then let marketing or analytics code run there without fully seeing what leaves the browser. The 96% figure keeps resurfacing because the outside code is common, the disclosures are thin, and the legal line is still being contested. (jamanetwork.com) (hhs.gov)
