Every tracker the scanner flagged is named in active class actions under state wiretap statutes and state consumer-health-privacy laws. $100M+ in settlements since 2022, and the docket is accelerating. The fix isn't deleting the tags — it's sanitizing what crosses the wire to Meta and Google. Your campaigns keep running. The patient data stops at your boundary.
State wiretap statutes (CIPA in California, the Illinois Eavesdropping Act, New York Penal Law §250, Massachusetts Wiretap Act, Florida Security of Communications Act) treat the forwarding of visitor browsing data to Meta and Google as an interception of consumer health communications. State consumer-health-privacy laws (Washington MHMDA, Nevada SB 370, Connecticut health-data provisions) treat it as an unauthorized sale of consumer health data.
The plaintiff firms aren't pursuing this on theoretical grounds. They've already settled against hospital systems, multi-location MSOs, telehealth platforms, digital-health companies, and specialty pharmaceutical manufacturers — across multiple states.
$100M+ aggregate · 15+ public settlements · 2022 — 2026. The docket has accelerated post-Dobbs, post-AHA v. Becerra (which collapsed the federal HIPAA defense to state-law claims), and into the 2026 cyber-insurance renewal cycle.
The short answer: no. State consumer-health-privacy laws distinguish between data sharing (which a consent banner can sometimes cover) and data sale — and tracking pixels feeding Meta and Google get treated as a sale, because the platform provides valuable consideration (retargeting, audience optimization, look-alike modeling) in exchange for the identifying signal.
The required authorization to sell consumer health data is a separate, far stricter standard than ordinary cookie consent. Functionally impossible to obtain from every casual website visitor. The data flow has to be architecturally changed — which is what Apex Vault does.
The other workaround a marketing team will pitch. Same trap.
"Use Facebook Lead Ads. The form lives on Facebook, data never leaves their platform, no tracking pixel on your site. Problem solved."
Facebook collects consumer health data on your behalf — which makes them a Business Associate under HIPAA. Facebook does not sign BAAs for Lead Ads. State consumer-health-privacy laws still apply: you remain the regulated entity, Facebook still provides valuable consideration (lead delivery, optimization, retargeting, lookalike modeling) in exchange, and the user's TOS click on Facebook isn't the Valid Authorization to Sell that state laws require. Same exposure, different surface.
Tracking events enter raw, leave sanitized. No matchable identifier ever crosses the wire to Meta, Google, or any ad platform. Your campaigns keep optimizing against aggregate conversion signal.
Pick the tier that matches your operating profile.
1–4 location practices. Multi-tenant deployment, templated BAA, 7-day install. Public pricing.
$5K + $1K–$2.5K/mo →5–25 location operators. Single-tenant, negotiated BAA, dedicated pen test pre-go-live. 9-week cycle.
Request tier sheet →Hospital systems, specialty pharma, multi-brand. Bespoke single-tenant, Letter of Attestation at go-live.
Request tier sheet →We walk you through what's currently firing on your site, what the architecture replaces it with, and what your ad performance looks like after deployment. No legal advice, no pressure — just the operational answer.