Two new federal class actions in Florida accuse healthcare providers of using website tracking technologies to intercept and transmit patient-related information to advertising and analytics companies. The lawsuits, filed against Solis Mammography and The Orthopaedic Institute, are the latest warning that healthcare websites, appointment pages, provider searches, patient portals, and payment flows are now being treated as high-risk privacy environments.
Healthcare Websites Are Becoming Evidence
Healthcare privacy litigation is no longer limited to ransomware, stolen laptops, exposed databases, or traditional data breaches. Plaintiffs’ lawyers are increasingly focused on what happens quietly inside a provider’s website: which pixels fire, which cookies are dropped, which analytics tools receive user identifiers, and whether patient-related activity is transmitted to third-party advertising platforms before consent is obtained.
Two Florida lawsuits filed in April 2026 show how quickly ordinary website tools can become the foundation for a class action. One case targets Comprehensive Breast Care Center of Texas, which operates as Solis Mammography. The other targets The Orthopaedic Institute, P.A. Both lawsuits allege that tracking technologies embedded on healthcare websites captured sensitive user activity and sent it to third parties without adequate notice or consent.
The allegations have not been proven in court, and the defendants will have the opportunity to respond. But the cases are significant because they follow the same pattern now appearing across the healthcare privacy docket: plaintiffs allege that pixels, cookies, analytics tools, ad tech, and tag managers are functioning as hidden surveillance tools when deployed on websites involving medical services.
The Solis Mammography Lawsuit
The Solis Mammography case was filed April 9, 2026 in the U.S. District Court for the Southern District of Florida. The plaintiffs allege that Solis Mammography used third-party tracking technologies on its website that intercepted and transmitted sensitive health-related information and personally identifiable information without users’ knowledge or consent.
According to the allegations summarized in public reporting, the data at issue included patient status, medical conditions, diagnostic services sought, appointment scheduling activity, treatment locations, and other information that could reveal a person’s relationship with a healthcare provider. The complaint alleges that this data was shared with third parties, including Google, through tracking tools operating invisibly in real time.
The plaintiffs’ theory is direct: a user who visits a mammography provider’s website may be communicating extremely sensitive information even before logging into a formal patient portal. Searching for diagnostic services, selecting a location, scheduling care, or interacting with appointment tools can reveal health-related concerns. When that activity is paired with identifiers such as cookies, device information, IP addresses, or account data, plaintiffs argue it becomes private health information that should not be disclosed to advertising or analytics companies without consent.
That is why healthcare website tracking cases are so dangerous. The legal exposure does not depend solely on a hacker breaking into a system. It can arise from tools the business deliberately installed for marketing, analytics, conversion tracking, retargeting, or user-experience measurement.
The Orthopaedic Institute Lawsuit
The second case was filed April 7, 2026 in the U.S. District Court for the Middle District of Florida against The Orthopaedic Institute. Plaintiffs Carolynn Place and Liberty Dzamko allege that the provider embedded tracking technologies on its website that intercepted electronic communications and shared user activity with companies including Google and AdRoll.
According to public reporting, the complaint identifies technologies including Google Analytics 4, DoubleClick, and AdRoll. The alleged tracked activity included physician searches, selected medical specialties, appointment requests, attempts to access patient portals, and efforts to pay medical bills. Plaintiffs allege that this data was transmitted with identifying cookies to third parties.
For healthcare providers, this is a critical fact pattern. Orthopedic websites often include provider directories, specialty pages, condition-specific content, appointment forms, portal links, billing links, and location pages. A user’s interaction with those pages may reveal whether the person is seeking treatment for back pain, knee injuries, joint replacement, sports injuries, spine care, workers’ compensation issues, or other medical concerns.
The privacy risk increases when those interactions are connected to third-party identifiers. Plaintiffs’ firms argue that the combination of healthcare browsing activity plus identifying technology can expose care-seeking behavior in a way ordinary users would not expect.
The Wiretap Theory Behind the Cases
Both lawsuits assert claims under the federal Electronic Communications Privacy Act and the Florida Security of Communications Act. These statutes are being used in a growing wave of website tracking lawsuits where plaintiffs argue that real-time data transmissions to third parties amount to unlawful interception of electronic communications.
The theory is especially potent in healthcare because the underlying information is not ordinary ecommerce activity. Plaintiffs can argue that the website interaction itself reveals sensitive health concerns, provider relationships, diagnostic interests, appointment intent, or treatment-related activity. That makes healthcare tracking cases more emotionally and legally powerful than many routine cookie disputes.
The legal theory also creates significant settlement pressure. Wiretap claims can trigger statutory damages, class-wide discovery, expert disputes, and expensive motion practice. Even when defendants deny wrongdoing, the cost of litigation can become substantial, particularly when the plaintiff class may include thousands or millions of website users.
Why Almeida Law Group Matters Here
The Solis Mammography plaintiffs are represented by Matthew J. Langley of Almeida Law Group. That is notable because Almeida Law Group has become increasingly visible in healthcare pixel tracking and privacy litigation. The firm’s own public materials describe a focus on data security and privacy, including data breaches and unauthorized third-party online tracking technologies such as pixels.
Almeida Law Group’s website specifically describes online tracking cases involving hospitals, medical providers, telehealth companies, online pharmacies, mortgage and loan providers, insurance companies, retailers, and other businesses that embed invisible trackers on websites, apps, portals, and other digital properties. The firm frames the issue as a consent and disclosure problem: companies allegedly collect or share data through third-party tracking tools without clearly telling users what is happening.
The firm also lists several healthcare and health-adjacent pixel tracking matters where it has served as lead, co-lead, or co-counsel, including cases involving Froedtert Health, Advocate Aurora Health, Everlywell, Wellstar Health System, Aspirus, Banner Health, and Northbay Healthcare. It also publicly announced preliminary approval of a $3.25 million settlement involving Lemonaid Health and LMND Medical Group, where the allegations centered on tracking technologies allegedly disclosing sensitive health-related information to Facebook and Google without user consent.
For healthcare defendants, the point is not that every Almeida Law Group case is identical. The point is that the firm has built a repeatable litigation theory around healthcare websites, tracking technologies, third-party data transmission, consent, and sensitive health-related user activity. That makes the Solis Mammography lawsuit part of a broader plaintiffs’ strategy, not an isolated filing.
The Larger Pattern: Healthcare Providers Are Being Sued for Their Marketing Stack
These cases reflect a shift in healthcare privacy litigation. Plaintiffs are no longer focused only on whether a provider suffered a breach. They are looking at whether the provider’s own marketing stack created the disclosure.
That includes tools commonly used by healthcare organizations and their agencies: Google Analytics, Google Tag Manager, DoubleClick, Meta Pixel, AdRoll, TikTok Pixel, session replay software, chat widgets, call tracking, embedded maps, form analytics, retargeting tags, and conversion pixels.
Many providers installed these tools for understandable business reasons. They wanted to measure traffic, improve appointment conversion, understand patient acquisition, run paid media campaigns, optimize provider pages, or track whether users completed forms. The problem is that healthcare websites are not ordinary lead-generation websites. A page view, search, form interaction, or appointment request may reveal sensitive medical intent.
That is what plaintiffs’ lawyers are targeting. The allegation is not simply that a provider used Google or AdRoll. The allegation is that the provider allowed third parties to receive health-related communications or identifiers without meaningful disclosure, without consent, and without adequate controls to prevent sensitive data from being transmitted.
Why This Is a Risk for Any Healthcare Website
The risk is not limited to hospitals. Specialty practices, dental groups, imaging centers, fertility clinics, dermatology practices, orthopedic groups, behavioral health providers, telehealth platforms, urgent care chains, medical spas, and healthcare SaaS companies can all face similar allegations if their websites collect sensitive user activity while third-party trackers are active.
The highest-risk pages are usually the pages marketing teams care about most: appointment forms, condition pages, physician search pages, location pages, patient portal links, billing pages, symptom pages, insurance pages, intake forms, and campaign landing pages. Those are the pages where users reveal the most about why they are seeking care.
Healthcare providers should assume that plaintiffs’ firms can inspect their websites, identify third-party scripts, test whether trackers fire before consent, and compare actual data flows against privacy policy language. If the website says patient information is protected but the technical evidence shows third-party advertising tools receiving health-related activity, the provider may face a difficult defense narrative.
The HIPAA Problem Behind the Pixel Problem
The complaints also raise HIPAA-related arguments. Plaintiffs allege that the information collected through healthcare website interactions can constitute protected health information when tied to an identifiable person and a healthcare provider relationship.
Even when HIPAA does not create a private right of action by itself, HIPAA concepts can still influence the litigation. Plaintiffs may use HIPAA to frame what information is sensitive, what expectations patients had, what duties the provider understood, and why the alleged disclosure was harmful. Regulators, insurers, business partners, and the public may also view the same facts through a HIPAA lens.
That is why healthcare providers should not treat pixel litigation as a narrow cookie-banner issue. In healthcare, website tracking can become a HIPAA, wiretap, consumer protection, breach notification, vendor management, and reputational issue at the same time.
What Healthcare Providers Should Do Now
Healthcare organizations should immediately review their websites and digital properties for tracking technologies, especially on pages where users search for care, request appointments, access portals, pay bills, submit forms, or interact with condition-specific content.
The first step is to identify what is actually running. Many healthcare executives and privacy officers do not know how many trackers their websites contain because tags are often added by marketing agencies, analytics vendors, ad platforms, scheduling tools, CRM integrations, or old campaign scripts that were never removed.
The second step is to determine when those technologies fire. If pixels or analytics tools load before consent, or if they transmit health-related page activity to third parties, the organization may be exposed. It is not enough to have a generic privacy policy link in the footer if tracking begins before the user has a meaningful opportunity to understand and control data sharing.
The third step is documentation. Healthcare providers need records showing what trackers were present, what categories they belonged to, what consent choices users made, whether opt-outs were honored, what vendors received data, and what remediation occurred when risks were identified.
How Captain Compliance Helps Healthcare Organizations Reduce This Risk
Captain Compliance helps healthcare organizations identify and reduce website privacy risks before plaintiffs’ counsel defines the story. The platform supports cookie and tracker scanning, consent management, consent logging, privacy notice support, opt-out workflows, and DSAR intake and tracking.
For healthcare providers, this matters because the legal question is often not only what the website says. It is what the website actually does. Captain Compliance helps organizations discover whether pixels, cookies, analytics tools, ad tech, session replay scripts, or other third-party technologies are active on sensitive pages.
Captain Compliance also helps create a record. That record can matter when a provider needs to show that it scanned its website, categorized trackers, implemented consent controls, honored privacy choices, updated disclosures, removed risky tags, or built a DSAR workflow before a lawsuit or demand letter arrived.
In the current litigation environment, privacy compliance is not just a policy exercise. It is a litigation-readiness exercise.
Compliance Steps for Healthcare Providers
Healthcare providers should treat the Solis Mammography and Orthopaedic Institute lawsuits as a warning to review their digital front door. The following steps can reduce exposure:
- Scan all public-facing websites and landing pages. Identify every cookie, pixel, tag, analytics tool, advertising script, session replay tool, chat widget, and embedded third-party service.
- Audit sensitive pages first. Prioritize appointment scheduling, provider search, condition pages, patient portals, billing pages, intake forms, insurance pages, and campaign landing pages.
- Block non-essential trackers before consent. Healthcare organizations should not allow advertising or analytics tools to collect sensitive user activity before a valid consent choice is made.
- Review vendor and tag manager access. Marketing agencies, analytics vendors, CRM providers, and advertising platforms should not be able to add or modify scripts without privacy review.
- Update privacy notices to match actual data flows. Disclosures should accurately describe what data is collected, how it is used, which third parties receive it, and what choices users have.
- Maintain consent and opt-out records. A consent banner without records is weak evidence. Providers need logs showing user choices and proof that those choices were honored.
- Operationalize DSAR workflows. Healthcare providers should be able to intake, verify, route, track, and complete privacy requests involving access, deletion, correction, opt-out, and disclosure information.
- Remove unnecessary tracking from healthcare-specific pages. If a tracker is not essential, it should not be present on pages that reveal care-seeking behavior or medical interests.
Healthcare Website Tracking Lawsuits
The Florida lawsuits against Solis Mammography and The Orthopaedic Institute show how healthcare website tracking has become a direct litigation risk. Plaintiffs are alleging that routine digital marketing tools can become unlawful interception technologies when they capture patient-related activity and transmit it to third parties without consent.
Almeida Law Group’s involvement in the Solis case is particularly important because the firm has already built a public profile around healthcare pixel tracking litigation. Its other cases and public materials show that plaintiffs’ firms are actively looking for healthcare websites where tracking technologies may be collecting sensitive user activity.
For healthcare providers, the warning is clear: your website can become the evidence. Every pixel, cookie, analytics tag, session replay script, and consent record may matter. The organizations in the strongest position will be those that can show they scanned their websites, controlled tracking, documented consent, honored privacy requests, and removed risky technologies before litigation arrived.
Captain Compliance helps healthcare organizations make their websites and privacy operations harder targets for plaintiffs’ firms pursuing pixel tracking, wiretap, and sensitive data disclosure claims.
Find Website Privacy Risk Before Plaintiffs Do
If your healthcare organization does not know what trackers are running on its website, whether pixels fire before consent, or whether sensitive pages transmit data to third parties, Captain Compliance can help you identify and reduce the risk.
