The Heist
Sell privacy-by-design growth attribution to the 200,000+ small medical practices terrified of pixels, lawsuits, and accidentally leaking patient data.
Tens of thousands of clinics across the United States are running Google Analytics and Meta Pixel on their websites with no idea they're sitting on a compliance bomb. The ones who do know have ripped out their tracking entirely and are flying blind: no attribution, no referral data, no clue which marketing channels produce booked appointments.
The play is a deliberately minimal server-side attribution tool that answers the only questions clinics care about — what drove this week's appointments and who actually showed up — without tracking a single patient.
Clinics don't churn off compliance infrastructure. And nobody is serving this market at this price point.
Why This Is Happening Now
Between 2023 and 2025, U.S. healthcare providers paid over $100 million in penalties and settlements tied to pixel tracking violations. Advocate Aurora Health settled for roughly $12.25 million after Meta Pixel and Google Analytics exposed data on millions of patients. Mass General Brigham paid $18.4 million. Aspen Dental settled for $18.5 million, affecting over 2.2 million people who booked appointments through its website. As recently as mid-2025, MarinHealth, Redeemer Health, NorthBay Healthcare, Legacy Health, and Reid Health all settled pixel-related class actions, with new lawsuits filing almost weekly.
The pattern in every case: standard tracking scripts transmitted interaction data — page visits, appointment bookings, form submissions, IP addresses — to Meta or Google without patient consent, and a class action followed. This is the default setup for most clinic websites in America.
The core problem is structural. Google does not offer a Business Associate Agreement for Google Analytics. Their own documentation says it plainly: HIPAA-regulated entities "must refrain from using Google Analytics in any way that implicates Google's access to, or collection of, PHI." Under HIPAA, any vendor that might process Protected Health Information needs a BAA in place. Google won't sign one. No version of GA is HIPAA-compliant if there's any possibility PHI is captured or inferred, because GA transmits URLs, IP addresses, user agents, and parameters that can combine into identifiable health information.
On a clinic website, a page URL alone can imply a health condition. Someone visiting /fertility-services or /addiction-treatment/intake-form creates what regulators consider individually identifiable health information the moment that URL gets paired with an IP address. The tracking doesn't need to capture a name or a diagnosis. Even clinics that try to configure GA carefully face a losing game: one URL parameter left unstripped, one form field accidentally tagged, one portal page with a tracking script still active, and you've created a discovery problem that a plaintiff's attorney can build a case around.
HHS's Office for Civil Rights issued tracking guidance in December 2022, updated it in March 2024, and made its enforcement priorities clear. A Texas federal court vacated part of that guidance in June 2024, ruling HHS overstepped its authority regarding unauthenticated public webpages. The ruling is narrow. It doesn't touch authenticated pages, patient portals, appointment forms, or state-level privacy laws. And it doesn't stop plaintiffs' attorneys, who file under state wiretapping statutes and the Electronic Communications Privacy Act regardless of federal guidance.
The regulatory picture is messy. The litigation picture is not.
The Market Gap
The U.S. has roughly 213,000 private medical practices, 73% of them small (fewer than 50 employees). Add 6,100 hospitals, 31,000+ clinics, and nearly 488,000 small-to-medium ambulatory healthcare businesses, and you're looking at a massive addressable market. Industry guidance now openly tells these providers that if GA is free, a compliant alternative will necessarily cost real money — which primes them to accept a paid solution.
Existing solutions skew heavily upmarket. Freshpaint, the category leader, raised $41.8 million in total funding, serves 250+ healthcare organizations including Baptist Health and Yale, and reported 10x revenue growth in 2023. Their pricing runs $25,000 to $150,000 per year. Their positioning and marketing materials are tailored to hospitals, DSOs, and payers — system-wide attribution, PE-level ROI reporting, multi-location optimization. They're unlikely to race down-market to a $150–300 price point for tiny clinics. Piwik Pro requires its Enterprise plan for HIPAA compliance. Matomo offers self-hosted options but puts the security and configuration burden on the practice. Mixpanel, Amplitude, and Heap all restrict HIPAA compliance to enterprise tiers.
A five-provider dermatology practice in suburban Phoenix doesn't have a compliance team or a six-figure software budget. Neither does a two-location fertility clinic in Charlotte, or a solo mental health practitioner in Portland. These providers need measurement too, and their marketing dollars are tighter, so every wasted referral source matters more.
That gap between enterprise pricing and small-practice need is where you build.
The Opportunity: Privacy-by-Design Growth Attribution
Clinics don't care about pageviews, session duration, or funnel visualization. They care about four things:
Unlock the Vault.
Join founders who spot opportunities ahead of the crowd. Actionable insights. Zero fluff.
“Intelligent, bold, minus the pretense.”
“Like discovering the cheat codes of the startup world.”
“SH is off-Broadway for founders — weird, sharp, and ahead of the curve.”
