- Reported US healthcare data breaches affected roughly 57 million individuals in 2025, with most exposure tied to vendor compromises and tracking-pixel leakage rather than dramatic external hacks.
- HIPAA only covers a portion of what most people call health data; direct-to-consumer wellness and telehealth brands often fall outside it, which is the gap state laws are filling.
- Washington's My Health My Data Act (effective March 31, 2024) defines consumer health data broadly enough to cover location data, search behavior, and inferred conditions, with a private right of action.
- The operational answer for digital health brands is a Customer Data Platform that sits between every data source and every destination, enforcing both compliance and data hygiene end to end.
- Patients can meaningfully reduce exposure with a few habits: read the data-sharing section of privacy policies, use "Reject all" buttons, use private browsing for sensitive searches, and avoid apps without a clear deletion path.
- For deeper reading see pixels, HIPAA, and the HHS, the cookieless future for digital health ads, and HIPAA-compliant digital health marketing strategies. Audio companion: Privacy and Compliance in Marketing on the Marketing Digital Health podcast.
9 min read · Pillar: HIPAA-Compliant Advertising
Every few months, a new story breaks about a hospital system, a mental health app, or a telehealth brand mishandling patient data. The headlines blur together, the language gets dramatic, and the conversation tilts toward an extreme: either digital health is a privacy disaster waiting to happen, or the controversy is overblown and patients should stop worrying.
Both framings miss the point. The real risks are specific and well documented, and so are the safeguards that already work. The job for anyone building a digital health brand, and for any patient using one, is to know which risks are operational versus theoretical, and which protections matter versus which are privacy theater.
This post is the orientation piece for Matchnode’s Patient Data Privacy cluster. It is written for two readers at once: the marketer or operator responsible for a digital health brand’s data posture, and the patient who wants to use these services without giving up more information than they intended.
Most teams stand a CDP up for defensive reasons: avoid breach exposure, avoid patient-privacy violations, avoid regulator attention. The bigger payoff is offensive. With compliance and hygiene enforced once and centrally, more creative tests can ship, more campaigns can run, and more attribution events flow back cleanly because the rules are not relitigated per campaign or rebuilt per new destination. Matchnode’s default CDP for digital health clients is Ours Privacy; we work with any compliant alternative a client already has in place. The operational depth of how this gets wired is on our technical services page.
individuals affected by reported US healthcare data breaches in 2025
of Americans say they understand little about how companies use their personal data
US states with consumer health privacy laws now in force or imminent
Washington’s My Health My Data Act takes effect, expanding “health data” beyond HIPAA’s scope
Where the Real Risk Lives
Telehealth apps are “selling patient data” to advertisers in real time.
Most patients picture a bulk sale of medical records. That is not the typical failure mode.
A browser pixel on a condition-specific landing page sends a URL fragment to a third-party server without a BAA.
Operational, mundane, and the source of every reported settlement.
Most coverage of digital health privacy is anchored in two scenarios: a dramatic breach where millions of records are exfiltrated, or a quieter story where an app or hospital website leaked health signals to advertising platforms through tracking pixels. Both happen. Neither captures the day-to-day reality.
According to the HHS Office for Civil Rights breach portal, 642 healthcare data breaches affecting 500 or more individuals were reported in 2025, exposing the records of roughly 57 million people. The 2025 HIPAA Journal breach report notes that the leading cause was not a Hollywood-style external hack, but a mix of vendor compromises, business associate failures, and ordinary phishing. The exposure surface for a typical patient is less “elite hacker” and more “the analytics vendor your provider chose without negotiating a Business Associate Agreement.”
The other risk is quieter and harder to see. When a patient visits a digital health website and the page loads a third-party tracking pixel, the URL path itself can transmit a signal that someone is researching depression treatment, opioid recovery, or fertility services. That signal, combined with an IP address or a device fingerprint, is enough to associate a real person with a sensitive condition without anyone formally storing a record. This is the pattern HHS-OCR addressed in its December 2022 tracking-technologies bulletin and broadened in its March 2024 update, and it is the pattern at the center of the $100M+ in cumulative class-action settlements healthcare brands have paid through 2025.
What HIPAA Covers, and Where It Stops
HIPAA covers protected health information held by covered entities (providers, plans, clearinghouses) and their business associates. It is a serious regulatory regime, but it was written in 1996 and updated for the modern web in pieces. It does not cover everything most people would call “health data,” and the gap is wider than the public conversation acknowledges.
The gap is what state legislatures and the FTC have been filling. The FTC’s Health Breach Notification Rule now reaches consumer health apps that fall outside HIPAA, and state privacy laws have moved faster than federal action. The result is a layered, somewhat fragmented framework where a single brand can be subject to HIPAA, the FTC, the Washington My Health My Data Act, the California CCPA/CPRA, and several other state regimes at once.
The State Privacy Layer Closing the Gap
Washington’s My Health My Data Act, effective March 31, 2024, is the law to understand first. It defines “consumer health data” expansively, covering any information linked or reasonably linkable to a consumer that identifies past, present, or future physical or mental health status. That definition deliberately captures data HIPAA does not: location data that reveals a clinic visit, search history that suggests a diagnosis, inferences a brand or vendor draws from behavior on a non-clinical app.
Connecticut, Colorado, Texas, Virginia, and California have followed with their own consumer health data or general consumer privacy regimes. The practical effect for a brand operating nationally is that the lowest-common-denominator standard is no longer HIPAA. It is whichever state law has the broadest definition and the highest penalty, applied to every consumer who might be a resident of that state.
This is why Matchnode tells brands to design for the most stringent applicable standard rather than to try and slice their compliance posture by jurisdiction. The cost of getting it wrong is not just a fine. The Washington law includes a private right of action, meaning individuals can sue directly.
What Responsible Brands Actually Do
There is a wide gap between brands that have written a privacy policy and brands that have built operational privacy into how data flows. The first is necessary. The second is what actually protects patients and the business.
Privacy theater
- A long privacy policy nobody reads, written for the legal team rather than the patient.
- A cookie banner that asks for “consent” but loads tracking before the user clicks.
- A pixel on the appointment-confirmation page because “the marketing agency said we needed it.”
- No data inventory, no map of where patient data flows.
Operational privacy
- A current data inventory naming every source and every destination of patient data.
- Consent captured before any tracking fires, with the choice respected end to end.
- Server-side conversion events routed through a BAA-covered Customer Data Platform.
- Business Associate Agreements with every vendor that touches identifiable data.
The operational answer for digital health brands running paid media is to treat the Customer Data Platform layer as a hub, not an option. A compliant CDP sits between every source of first-party data the brand owns (website, app, intake forms, CRM, EHR-adjacent systems) and every destination that data flows to (Meta, Google, TikTok, email, SMS, analytics, BI, the data warehouse). It enforces HIPAA and state-level requirements like Washington’s MHMDA, and it also enforces data hygiene: clean identifiers, consistent hashing, consent-flag propagation, and event-taxonomy enforcement across destinations.
What Patients Can Do
The patient side of this conversation is often skipped, partly because it feels like blaming users for the choices brands and platforms make. That is a fair concern, but a few habits genuinely change what gets collected. Recent Pew Research data shows that 67% of Americans say they understand little to nothing about how companies use their personal information, and 72% want more regulation. The gap is not just informational; the tools exist, but most people do not know where to find them.
- ✓Read the data section of a privacy policy, not the whole policy. Look for what is shared with “advertising partners” and “service providers.”
- ✓When a site offers “Reject all” alongside “Accept all,” use it. The button exists because regulation forced it.
- ✓For sensitive searches, use a private browsing window, a privacy-focused browser, or a search engine that does not retain query history.
- ✓If a wellness or symptom-tracking app does not have a clear data deletion path, treat that as the answer to whether you should use it.
- ✗Do not assume a brand is HIPAA-covered just because it is “in healthcare.” Most direct-to-consumer wellness brands are not.
The Privacy Posture That Holds Up Under Scrutiny
The privacy conversation is shifting from “is this controversial” to “what is the operational standard,” and the operational standard is rising. State laws are converging on a broader definition of health data, federal enforcement is more active than it has been in a decade, and platform-level changes are forcing every brand to rebuild measurement on first-party foundations.
For background on how the HIPAA tracking rules got to where they are, see Matchnode’s piece on pixels, HIPAA, and the HHS. For why the underlying identity layer is shifting at the same time, see the cookieless future for digital health ads. For platform-specific implications on Meta, see Meta’s new data restrictions. For the broader marketer playbook, see HIPAA-compliant digital health marketing strategies.
If you are building a digital health brand and you want a partner who treats privacy as a system rather than a checkbox, our work in paid social and on other ad platforms is built around the same operational standard described above.
For the longer treatment, see Marketing Digital Health on Amazon.
