A Louisiana health system will pay out and change digital practices to resolve claims it improperly shared visitor data with tech platforms.
Willis-Knighton Medical Center has agreed to settle a class action lawsuit alleging that its use of web tracking technologies led to unauthorized disclosures of user data to companies like Google and Facebook. The lawsuit, consolidated under Jacqueline Horton, et al. v. Willis-Knighton Medical Center, was filed in the 10th Judicial District Court in Natchitoches Parish, Louisiana.
The complaint focused on pixels and tracking tools embedded on Willis-Knighton’s website and patient portal. These tools allegedly collected personally identifiable information (PII) and transmitted it to third parties without proper authorization, potentially violating HIPAA.
While commonly used across industries, tracking tools can capture sensitive visitor information when applied to healthcare websites. One study cited in the case found that over 99% of hospital websites included such tools. The class action alleged that Willis-Knighton's use of these technologies enabled unauthorized third-party data access.
Willis-Knighton has denied any wrongdoing and maintains that no medical information was shared with Facebook or Google. However, the health system opted to settle in order to avoid protracted litigation and uncertain trial outcomes. Willis-Knighton agreed to suspend use of 16 specific tracking and analytics tools - including Google Ads, Meta, TikTok, and TheTradeDesk, for two years after final settlement approval.
The health system’s statement stated that the decision to settle did not reflect an admission of liability. Instead, it cited the financial and operational costs of litigation as the reason for the resolution. The court has scheduled a final approval hearing for January 22, 2026. Individuals must file claims by December 18, 2025, and objections or exclusions must be submitted by November 18, 2025.
According to Bloomberg Law, “the fear of costly litigation and enforcement actions by federal regulators has led most health-care providers to remove tracking software from their password-protected patient portals,” resulting in a loss of valuable engagement and marketing data.
In 2021, over 98% of US hospitals and health systems used tracking pixels, but that number dropped to 55% in 2024 and just 30% in 2025, according to Jenny Bristow, CEO of Hedy & Hopp, which analyzed hundreds of provider websites. The number of providers that removed all pixels also more than doubled in a year, from 12% in 2024 to 28% in 2025. As privacy attorney Mark H. Francis noted, “providers are paying a lot more attention to what tools they are using and how the tools are implemented,” showing that settlements like Willis-Knighton’s are part of a nationwide retreat from third-party tracking amid tightening legal and regulatory scrutiny.
Tracking technologies can collect identifiers tied to patient portal activity, online appointment requests, or browsing tied to health conditions. When these identifiers are sent to third-party platforms, providers face HIPAA, state privacy, and wiretapping claims regardless of their marketing intent.
Healthcare sites often combine public-facing content with portal logins, scheduling tools, symptom checkers, and intake workflows. Pixels placed on these pages can inadvertently capture PHI signals, making compliance risks far higher than on standard commercial websites.
Class actions frequently point to a lack of tool vetting, absence of documented governance, insufficient audits of website scripts, and failure to limit third-party data transmissions. Providers without a defined digital-tracking policy face stronger claims of negligence.
Compliance and IT teams should jointly review all pixels, tags, analytics suites, and marketing platforms across every web property. Providers should verify what data each tool collects, whether it passes identifiers externally, and whether any tool requires removal, reconfiguration, or a BAA.
Health systems should assume that pixels and analytics tools will be scrutinized in litigation. A disciplined governance model, routine code scans, server-side analytics, and limits on third-party tracking can greatly reduce risk and demonstrate responsible oversight.