APEX VAULT.
You scanned your site — here's what to do next

Those trackers aren't a configuration issue. They're a class-action surface.

Every tracker the scanner flagged appears in active class actions under state wiretap statutes and state consumer-health-privacy laws. $100M+ has settled to date, and the docket is accelerating into independent practices. The fix isn't deleting the tags — it's sanitizing what crosses the wire to Meta and Google. Your campaigns keep running. The patient data stops at your boundary.

What your scanner result means

The trackers on your site are exactly what plaintiff firms are settling against in the current docket.

State wiretap statutes (CIPA in California, the Illinois Eavesdropping Act, New York Penal Law §250, Massachusetts Wiretap Act, Florida Security of Communications Act) treat the forwarding of visitor browsing data to Meta and Google as an interception of consumer health communications. State consumer-health-privacy laws (Washington MHMDA, Nevada SB 370, Connecticut health-data provisions) treat it as an unauthorized sale of consumer health data.

The plaintiff firms aren't pursuing this on theoretical grounds. They've already settled against hospital systems, multi-location MSOs, telehealth platforms, digital-health companies, and specialty pharmaceutical manufacturers — across multiple states.

Settlement docket

$100M+ aggregate · public docket active 2026. Accelerated post-Dobbs and post-AHA v. Becerra (which collapsed the federal HIPAA defense to state-law claims). Most settlements pay out quietly through E&O and cyber liability insurance — which is why most practice owners hear about it from their carrier's renewal, not the news.

"Can't I just add a cookie banner?"

The short answer: no. The pattern at issue isn't about disclosure or consent — it's about what data crosses the wire to non-business-associate vendors. Standard consent infrastructure doesn't change that flow. Apex Vault does.

"What if I just switch to Facebook Lead Ads?"

The other workaround a marketing team will pitch. Same trap.

The pitch

"Use Facebook Lead Ads. The form lives on Facebook, data never leaves their platform, no tracking pixel on your site. Problem solved."

What actually happens

Facebook collects healthcare-context data on your behalf. Facebook does not sign a BAA for Lead Ads — meaning the data still leaves your compliance chain. The architectural pattern under state consumer-health-privacy laws is the same as a pixel on your own site. Same exposure, different surface.

The fix: a proxy that sanitizes the wire.

Tracking events enter raw, leave sanitized. No matchable identifier ever crosses the wire to Meta, Google, or any ad platform. Your campaigns keep optimizing against aggregate conversion signal.

Your site
Healthcare website
IP · URL · Fingerprint
Sanitization boundary
Apex Vault
Strip every
matchable signal
Destinations
First-party analytics + CAPIs
UUID · Value · Timestamp

The path forward depends on your scale.

Pick the tier that matches your operating profile.

Tier 01

Independent Practice

1–4 location practices. Multi-tenant deployment, templated BAA, 7-day install. Public pricing.

$5K + $1K–$2.5K/mo →
Tier 02

MSO Platform

5–25 location operators. Single-tenant, negotiated BAA, dedicated pen test pre-go-live. 9-week cycle.

Request tier sheet →
Tier 03

Enterprise

Hospital systems, specialty pharma, multi-brand. Bespoke single-tenant, Letter of Attestation at go-live.

Request tier sheet →

You already saw your trackers. Now book the 15-minute call.

We walk you through what's currently firing on your site, what the architecture replaces it with, and what your ad performance looks like after deployment. No legal advice, no pressure — just the operational answer.