A dental website operator has agreed to pay nearly $12.7 million to settle a class-action privacy lawsuit over the alleged use of cookies, pixels, and analytics tools on a Delta Dental member portal. While this seems like a big settlement we covered the $18.7 million Aspen Dental lawsuit over pixel tracking data privacy violations.
The settlement involves Wyssta Services, which operates an online portal for certain Delta Dental plan members at my.deltadentalcoversme.com. The lawsuit alleged that Wyssta installed and implemented advertising and analytics tracking technologies on the portal without users’ knowledge or consent.
Wyssta denies the allegations and denies any wrongdoing. No court has found that the company violated the law. But the size of the settlement should get the attention of every dental group, healthcare vendor, benefits administrator, practice management platform, and patient portal operator.
SCHEDULE A FREE PRIVACY AUDIT FOR YOUR COMPANY
This is not just a dental industry story. It is another warning that website tracking technology has become one of the most active privacy litigation risks in healthcare.
What the Wyssta Services settlement is about
The lawsuit, Michael Feeler v. Wyssta Services, Inc., alleged that Wyssta violated the Electronic Communications Privacy Act and the Illinois Eavesdropping Statute by using tracking technologies, including cookies and pixels, on a website it operated for Delta Dental plan members.
The settlement class includes people in the United States who held an account on the online healthcare portal at my.deltadentalcoversme.com between January 23, 2021 and January 23, 2025.
Class members who submit valid claims may receive up to $16.50, subject to the settlement terms and court approval. A final approval hearing is scheduled for September 9, 2026.
On paper, that may sound like a small per-person payment. But from a compliance perspective, the headline number is the real message: a website tracking case involving a dental benefits portal has produced a multimillion-dollar settlement.
That should make dental organizations rethink how they treat tracking pixels, analytics scripts, retargeting tools, session replay, lead attribution tools, and advertising tags.
The privacy problem with healthcare website tracking
Most companies still think of cookies and pixels as marketing tools. In ordinary retail, that may be true. But in healthcare, dental, insurance, benefits, and patient portal environments, tracking technology can quickly move into a much more sensitive category.
A user visiting a healthcare-related portal is not just browsing shoes or booking a hotel room. The user may be logging into a benefits account, reviewing plan information, searching for dental coverage, checking claims, looking at dependents, updating contact information, or interacting with information tied to healthcare services.
That context matters.
When tracking tools collect URLs, page titles, click events, form interactions, identifiers, account data, or user behavior from a healthcare portal, plaintiffs’ lawyers may argue that the company intercepted or disclosed private communications. Regulators may ask whether the tracking activity was disclosed properly. Healthcare lawyers may ask whether the data could qualify as protected health information, depending on the entity, the data flow, and the relationship between the parties.
This is why healthcare website tracking has become such a litigation magnet. The technology may look ordinary to a marketing team, but the legal exposure is very different when the website is tied to dental coverage, patient care, insurance benefits, prescriptions, appointments, provider searches, or claims.
Dental organizations are now part of the healthcare privacy litigation wave
For a long time, dental companies were treated as lower-risk than hospitals, health systems, and major insurers. That assumption is outdated.
Dental organizations now operate digital ecosystems that look a lot like broader healthcare platforms. They run patient portals, appointment scheduling tools, payment pages, insurance verification systems, treatment plan portals, email marketing systems, chat tools, call tracking, online intake forms, review platforms, retargeting campaigns, and analytics dashboards.
That means dental companies are collecting and processing more personal information than ever before.
They may collect names, addresses, phone numbers, email addresses, insurance information, dependent information, appointment details, procedure interests, payment information, claim details, treatment history, and online behavior. Even when the data is not clinical chart data, it can still be sensitive. And when it is connected to a healthcare or benefits context, the privacy expectations are higher.
The Wyssta settlement shows that dental-related websites are no longer sitting outside the privacy litigation zone. They are directly inside it.
Why cookies and pixels can become an eavesdropping claim
The legal theory in many website tracking lawsuits is not limited to traditional consumer privacy law. Plaintiffs increasingly bring claims under wiretap, eavesdropping, and electronic communications statutes.
That matters because these laws can carry significant statutory damages and can be used even when there is no traditional data breach.
The argument usually works like this: a user communicates with a website or portal, and a third-party tracking tool allegedly receives information about that interaction without the user’s consent. Plaintiffs may argue that the tracking vendor was a third party to the communication and that the website operator allowed an unauthorized interception or disclosure.
Companies often disagree with that theory. Defendants frequently argue that common analytics tools are not wiretaps, that users consented through policies or banners, that the vendor acted as a service provider, or that the data did not include the contents of a private communication.
But the litigation risk remains real.
Even when companies deny wrongdoing, many cases settle because the cost of defending website tracking litigation can be significant. The Wyssta settlement is another example of how expensive this category has become.
The biggest mistake: treating the portal like an ordinary website
The central compliance mistake is assuming that all websites can use the same analytics and advertising stack.
A dental benefits portal should not be governed the same way as a generic homepage. A patient login page should not be treated like a blog article. An appointment request page should not be treated like a basic marketing landing page. A claims portal should not be treated like an ecommerce product page.
Different pages carry different privacy risk.
A dental company may be able to justify basic analytics on a public homepage. But tracking authenticated member portal activity, form submissions, treatment interest pages, insurance pages, or payment flows creates a very different risk profile.
That is where many organizations get into trouble. Marketing tags are often added globally through Google Tag Manager or a similar tag management tool. Once that happens, the same pixel can fire across every page of the website unless someone limits it. A tag that may be acceptable on a public landing page may become a serious problem when it fires inside a logged-in portal or on a healthcare-related form.
Dental and healthcare websites need page-level tracking controls
Privacy compliance cannot stop at the cookie banner. Companies need page-level control over where tracking technologies are allowed to run.
A serious healthcare tracking review should separate website areas into risk categories. Public education pages may be lower risk. General corporate pages may be lower risk. Appointment scheduling, account login, insurance portals, payment pages, provider searches, claim pages, and intake forms are higher risk.
Once the website is mapped, companies should decide what tools can run in each area. Some pages may allow only strictly necessary technologies. Some may allow first-party analytics. Some may require consent before any non-essential tools fire. Some may need advertising pixels completely removed.
That is the level of control regulators, plaintiffs, and business partners increasingly expect.
Cookie banners alone will not save a bad tracking setup
Many companies assume that having a cookie banner means they are protected. That is not true. Server Side Tracking and using Captain Compliance can help resolve this issue and avoid these very expensive suits.
A cookie banner is only useful if it accurately controls the technologies on the site. If tracking tools fire before consent, if the banner does not cover all vendors, if reject buttons do not actually block non-essential scripts, or if the privacy policy does not match the site’s real tracking behavior, the company may still have exposure.
Healthcare and dental organizations should be especially careful with consent banners because many of them were designed for general consumer marketing websites, not healthcare portals.
A banner that says “we use cookies to improve your experience” may not be enough if the site is sharing user interactions with analytics or advertising vendors in a healthcare context. The stronger approach is to know exactly what each tracker does, where it fires, what data it collects, what vendor receives it, whether consent is required, and whether it should be blocked entirely on sensitive pages.
Vendor management is part of the tracking problem
The Wyssta case also highlights a broader issue: healthcare and dental companies often rely on vendors to operate websites, portals, marketing systems, analytics tools, and benefits infrastructure.
That does not eliminate responsibility.
If a vendor places pixels on a portal, the company still needs to understand the data flow. If an agency configures Google Tag Manager, the company still needs to approve the tags. If a platform includes default analytics tools, the company still needs to review whether those tools are appropriate for the data being processed.
Vendor contracts should address privacy and tracking directly. They should define what data can be collected, whether the vendor can use the data for its own purposes, whether third-party trackers are allowed, whether subcontractors are involved, how long data is retained, and what happens when the contract ends.
For healthcare-adjacent data, vendor review should not be limited to cybersecurity questionnaires. It should include privacy-specific data flow review.
Dental Groups Get a Privacy Audit Right Away
Dental groups, DSOs, dental insurers, benefits administrators, orthodontic groups, oral surgery groups, and dental software vendors should treat this settlement as a prompt to audit their digital tracking environment.
The first step is to scan the website and identify every cookie, pixel, script, SDK, tag, analytics tool, advertising tool, chat widget, session replay tool, call tracking script, and embedded third-party service.
The second step is to map where those technologies fire. It is not enough to know that Meta Pixel, Google Analytics, Google Ads, TikTok Pixel, LinkedIn Insight Tag, Hotjar, FullStory, call tracking, or chat widgets exist somewhere on the site. The company needs to know whether those tools fire on sensitive pages.
The third step is to classify the pages. Login pages, appointment request forms, patient intake forms, insurance verification pages, claims portals, payment pages, treatment-specific pages, and member dashboards should receive heightened review.
The fourth step is to confirm consent behavior. Non-essential cookies and tracking tools should not fire before valid consent where consent is required. Reject buttons should work. Consent logs should be retained. Preference changes should be honored.
The fifth step is to update disclosures. Privacy policies, cookie policies, consent banners, and vendor disclosures need to match the website’s actual tracking behavior.
The sixth step is to monitor continuously. Websites change constantly. Marketing teams add campaigns. Agencies add pixels. Vendors update scripts. Developers change forms. A site that was compliant last quarter may not be compliant today.
Why this matters for DSOs
Dental service organizations face a unique version of this problem because they often manage websites at scale.
A DSO may operate dozens or hundreds of practice websites. Some may have centralized marketing. Others may have legacy vendors. Some may use shared scheduling tools. Some may use local landing pages. Some may have inherited old pixels from acquired practices. Some may use call tracking, chat widgets, or lead attribution tools that were never reviewed by privacy counsel.
That creates a scaling problem.
One pixel mistake can be multiplied across an entire portfolio. One tag management misconfiguration can affect every location. One vendor update can create exposure across multiple states.
DSOs need centralized governance for tracking technology. They need a standard approved vendor list, a cookie and pixel policy, a process for adding new tags, a consent management system that actually blocks non-essential tools, and ongoing scans to detect unauthorized changes.
This is not just a HIPAA issue
Healthcare privacy teams often ask whether a tracking issue is a HIPAA issue. That is an important question, but it is not the only question.
The Wyssta lawsuit was framed around the Electronic Communications Privacy Act and the Illinois Eavesdropping Statute. Other website tracking lawsuits have involved state wiretap laws, consumer protection statutes, state privacy laws, unfair trade practice claims, breach of contract theories, intrusion upon seclusion, and unjust enrichment claims.
That means a company can face privacy litigation even when the claim is not purely a HIPAA claim.
This is one of the biggest misunderstandings in healthcare privacy. Some companies think that if a data flow is not clearly protected health information under HIPAA, then the risk is low. That is wrong. The privacy litigation ecosystem is much broader than HIPAA.
Dental and healthcare companies need to assess tracking risk under multiple frameworks, including HIPAA where applicable, state consumer privacy laws, state wiretap and eavesdropping laws, data breach laws, FTC enforcement risk, contract obligations, and industry-specific rules.
The compliance lesson: know what your website is actually doing
The Wyssta settlement reinforces a simple but uncomfortable point: many companies do not fully know what their websites are doing.
They know what the privacy policy says. They know what the marketing team intended. They know what the vendor promised. But they may not know what actually fires in the browser when a user logs in, submits a form, checks benefits, schedules an appointment, or reviews account information.
That gap is where litigation lives.
Privacy compliance now requires operational proof. Companies need to be able to show what trackers are present, when they fire, whether consent was obtained, whether data is sent to third parties, what contractual restrictions apply, and whether sensitive pages are protected.
That cannot be solved once a year with a policy review. It requires scanning, monitoring, documentation, and governance.
Where Captain Compliance fits in
Captain Compliance helps businesses reduce privacy risk across websites, consent banners, cookie disclosures, DSAR workflows, vendor disclosures, and ongoing privacy monitoring.
For dental groups, healthcare companies, and healthcare-adjacent vendors, the Wyssta settlement is a clear signal that website tracking needs to be treated as a core compliance issue. This is especially true for portals, appointment pages, insurance pages, payment flows, and any page where users interact with sensitive or health-related information.
Our tools help companies identify cookies, pixels, tags, and third-party scripts; maintain accurate cookie and vendor disclosures; deploy consent controls; and monitor websites for changes that may create privacy exposure.
The larger lesson from this settlement is simple: the privacy issue that creates your next claim may already be live on your website.
Dental organizations do not need to stop using technology. But they do need to know what technology is running, what data it collects, where it sends that data, and whether the company can defend the setup if a lawsuit, regulator, client, or patient asks questions.
You can also read our related coverage on dental and healthcare privacy risk here: DentaQuest Breach Shows Dental Groups Are Now Carrying Healthcare-Level Privacy Risk. The risks are huge and it’s important to be proactive today.
