How Healthline Media's $1.55M Fine Redefines PHI

While you were buying hot dog buns and getting ready to watch fireworks, California seemingly rewrote the rules of healthcare marketing forever. 

In case you missed the news, California Attorney General Rob Bonta announced a $1.55 million settlement with Healthline Media—one of the largest digital health publishers in the U.S., with sites like Healthline.com, Medical News Today, and PsychCentral. 

This hefty settlement isn’t just another fine—it’s a big, bright neon sign pointing to a more aggressive stance by California’s privacy regulators that could reshape how everybody (not just covered entities) collect, share, and profit from health-related content. 

Put another way: That diabetes article someone read on your site yesterday? The one that got tracked by your marketing stack? That combination is now potentially illegal. 

What Healthline (Allegedly) Did Wrong

Million-dollar settlements are beginning to seem commonplace in the world of healthcare privacy enforcement. But there’s a reason this particular case should ring the alarm for healthcare providers, insurance companies, and—more noteably—healthcare publishers. 

According to the complaint filed by California Attorney General Rob Bonta, Healthline Media violated the California Consumer Privacy Act (CCPA) by mishandling sensitive health-related browsing data and personal information. 

More specifically, they fell short on four key fronts:

1. Purpose creep: This is the canary in the coal mine. Under the CCPA, if you collect data for one purpose (serving content), you can’t use it for another purpose (advertising) without explicit consent. Healthline allegedly violated this by sharing the names of health-related articles that infer users’ diagnosis with advertisers. 
2. Faulty opt-out mechanisms: Related to the notion that reading health-related information suggests diagnosis, Healthline’s opt-out for consumers who didn’t want their data shared didn’t actually work as advertised. 
3. Misleading cookie consent policy: Healthline’s cookie consent banner claimed rejecting cookies would disabled them. But when users clicked “No,” cookies continued to track them. 
4. Missing contracts: Healthline also failed to have required contracts in place with third-party partners that ensure their compliance with CCPA. 

Yes, Article Titles Can Now Be Considered PHI/PII

The most impactful part of the settlement is the new line California is drawing in the sand: Even if a user gives consent, you can’t sell or share information that connects a person’s identity to a specific diagnosed medical condition article.

For example, if your site runs ad pixels or tracking tools that tie a user’s identity (like their IP address) to the fact that they read an article about diabetes, you’re in risky territory under CCPA.

Healthline’s settlement prohibits them from selling or sharing that combination of information. For marketers relying on ad targeting, retargeting, or lookalike modeling, this could be a major wake-up call.

HIPAA Isn’t Your “Get Out Of Jail Free” Card

If you work at a HIPAA-covered entity (like a hospital or insurer) or are a business associate, you might assume HIPAA keeps you safe. Not so fast.

The CCPA includes an exemption for Protected Health Information (PHI) collected by HIPAA-covered entities and their business associates—but only when that information is maintained within a designated record set. 

That means if you collect a personal identifier outside of the record set and use it for advertising or fundraising, it may not qualify as PHI under HIPAA. That makes it fair game for state privacy laws like the CCPA.

So, even if your organization is HIPAA-covered, if you run a blog, condition-specific landing pages, or health risk assessments that use tracking pixels or cookies, you could still be at risk.

For non-HIPAA organizations, the stakes are even higher.

If you’re not covered by HIPAA (like many health content publishers, wellness apps, or DTC health brands), this settlement should be a giant red flag.

State regulators are watching. They’re willing to investigate. And they’re willing to fine. In the past, digital health companies often assumed they fell into a gray area. Healthline’s settlement makes clear that gray area is shrinking fast.

How to Protect Your Organization Now

Recognize that the Healthline Media settlement didn’t come out of nowhere. The California Privacy Protection Agency (CPPA) warned last year that it was “primed and ready” to ramp up enforcement actions. With the Healthline fine, they’re making good on that promise.

California is just one piece of the puzzle. Twenty U.S. states now have their own consumer privacy laws. Some of them (like Washington’s My Health My Data Act) go even further than CCPA in protecting health-related information. Expect this patchwork to grow even more complex in the next few years.

Bottom line: a “wait and see” approach is a riskier endeavor. 

Here are five steps you can take to stay ahead.

1. Align with your legal team: Bring your legal and compliance teams into the conversation immediately. Get clear on which parts of your marketing data fall under HIPAA, which don’t, and where state privacy laws might apply.
2. Take a closer look at your consent and opt-out mechanisms: Broken consent tools and misleading cookie banners were at the heart of Healthline’s violations. Make sure your consent tools work exactly as promised. Test your opt-out buttons regularly.
3. Audit your ad pixels and trackers: Map every tracker running on your websites, blogs, and landing pages. Figure out which ones could tie personal identifiers to condition-specific content. If you’re not sure, assume they do and plan accordingly.
4. Review contracts with third parties: Make sure you have up-to-date contracts with any vendors or partners who handle user data, and that those contracts explicitly require them to comply with applicable privacy laws.
5. Stay up-to-date with state privacy laws: If you haven’t done so already, monitor other state privacy laws like Washington’s My Health My Data Act. Many states are expanding the definition of “sensitive data” and adding extra rules for health-related information. 

Don’t Assume Compliance, Verify It

Every healthcare marketer has that moment when they realize their entire attribution model might be built on quicksand. 

This isn't just about Healthline. It's about the marketing stack you built, the campaigns you're running, and the budgets you're defending next quarter. 

If you want peace of mind today, all it takes is a minute to scan your organization’s website to ensure your marketing stack doesn’t put your hard work at risk. Run a free scan with Freshpaint’s Web Tracker Manager.