Several Australian health service websites have been covertly tracking visitors and transmitting sensitive health information to social media platforms without disclosure or consent, the Office of the Australian Information Commissioner (OAIC) has found.
Privacy Commissioner Carly Kind published findings from a sweep of 50 health sector websites conducted in late 2024, which revealed that almost all, or 96 percent, used tracking technologies.
Of the sites, 52 percent deployed third-party tracking pixels, which is a digital advertising industry term for JavaScript code that is able to capture and forward user data.
Unlike cookies, which are small text files that users can clear or block through browser settings, tracking pixels cannot be deleted by visitors and execute the moment a page loads.
Tracking pixels run before any cookie consent interaction can occur.
The scale of the problem surprised even the regulator and, it would appear, some of the sites in the OAIC’s sweep.
One unnamed health provider, contacted by the OAIC following the sweep, discovered it had 50 active tracking pixels on its website.
It had authorised none of these, and was not aware of them.
The health provider’s Facebook page had long been disabled, yet pixel code placed by a third-party web vendor had continued firing, transmitting visitor data to social media platforms without the organisation’s knowledge.
OAIC is calling for healthcare sites to audit what tracking technologies run on their sites, and to configure pixels to collect a minimum amount of information.
For sites that handle sensitive information, OAIC said they should not run pixels at all.
Enforcement action taken against Monash IVF and Medmate
Following the 2024 sweep, privacy commissioner Carly Kind initiated investigations against two health providers, fertility clinic operator Monash IVF and telehealth platform Medmate.
Monash IVF was found to have run tracking pixels since July 2012, meaning they had been active for over a decade.
It was unable to account for when its Meta Advanced Matching feature, which transmits hashed usernames, email addresses and phone numbers from form submissions had been activated, or for how long.
Custom Audience lists of people who interacted with Monash IVF and which contained their names, contact details and other information had been uploaded to Meta; Monash IVF could not confirm what the source of the data was to OAIC.
In the case of Medmate, OAIC found it had transmitted full URL strings through its TikTok social media platform pixel.
This embedded specific health conditions and medications in the page path, including searches that identified contraception, urinary tract infection treatments, and bacterial vaginosis assessments.
Medmate had implemented a cookie consent banner in the final weeks before the investigation commenced, but the OAIC found it inadequate.
The interstitial referred to cookies rather than tracking pixels, did not name Meta or TikTok, and did not explain that data was being transmitted to external servers.
OAIC’s determinations in both these cases were handed down on 11 June 2026, with the privacy watchdog ruling Monash IVF and Medmate had both breached Australian Privacy Principles 3.3, 5,1 and 7.1.
These cover the user consent for information collection, notifying them that that is happening, and the use or disclosure of sensitive data for direct marketing without consent.
OIAC issued declarations that Monash IVF and Medmate must not repeat or continue such conduct.
Traffic figures in the OAIC determinations suggest that the sites enjoyed substantial visitor numbers, well over a million per year combined.
