Back to Insights
Regulation5 min read4 July 2026

Invisible Code, Visible Harm: How Monash IVF and Medmate Sent Patient Health Data to Meta and TikTok

Australia's Privacy Commissioner ruled that two health companies ran tracking pixels on sensitive medical pages for years — transmitting fertility and medication searches to social media platforms without a single user's consent.

t2s
train2secure NewsdeskSecurity awareness team
A close-up editorial photograph of a person's hands typing a medical symptom into a laptop browser at a desk, with faint

Australia's Privacy Commissioner Carly Kind ruled in June 2025 that fertility clinic network Monash IVF and online prescription service Medmate broke the country's privacy law by embedding third-party tracking code on health-related web pages without telling visitors or obtaining their agreement.

What the Trackers Actually Did

A tracking pixel is not a cookie you can decline. It is a fragment of code — sometimes a single transparent image — that fires silently when a page loads, capturing behavioral data and sending it to a remote server. Neither Monash IVF nor Medmate required a login to trigger the collection. Visiting a page was enough.

Monash IVF ran tracking code continuously from 30 July 2012 until December 2024. At peak deployment, seven separate trackers sat simultaneously on pages about egg freezing, sperm and egg donation, and fertility health checks. The company then used the audience signals those trackers generated to push IVF and egg-freezing advertisements back at the same visitors on social media.

Medmate's conduct was narrower in duration but arguably more precise. From April 2021 onward, the company ran a TikTok pixel that transmitted full, untruncated web addresses. Those URLs contained the names of medical conditions: benign prostatic hyperplasia, contraception searches, and others. Medmate also activated a Meta feature that matched site visitors to their Facebook and Instagram accounts even when those visitors were not logged in to Meta's platforms at the time.

The Regulator's Findings

Kind rejected the companies' shared defense that the data was scrambled and therefore not personal information. Her ruling extended Australian privacy law's definition of identifiability: a company does not need to know your legal name. If it can single you out and treat you differently — serving you a targeted IVF advertisement, for example — you are identifiable under the law. That interpretation sets a meaningful precedent for the entire health sector.

The scale of the wider problem backs her concern. A government scan of 50 Australian health websites found that 96 percent used some form of tracking technology. Of those deploying third-party trackers, 77 percent never mentioned the practice in their privacy policies. These are not edge cases. Silent data harvesting on medical pages is effectively industry standard behavior.

Neither company was fined. Kind explained that penalty proceedings take years and provide no immediate protection to the people already affected. Her orders — stop the tracking, permanently delete the collected data — take effect immediately. She was direct that financial penalties remain available if the sector disregards these findings.

Monash IVF told reporters it had already deleted the collected data and strengthened its privacy disclosures. Medmate removed all trackers from its website but has not made a public statement addressing the specifics of the ruling.

Which Security Controls Failed — and Why It Matters Beyond Australia

This incident is not primarily a hacking story. No external attacker breached a database. The failure was deliberate misconfiguration combined with an absence of governance: marketing teams deployed powerful data-collection tools on sensitive medical pages, and no internal privacy review stopped them.

The root cause is a gap in vendor management and data-flow visibility. Most organizations know what servers their developers built. Far fewer know every third-party script running in their production environment at any given moment. Monash IVF's seven simultaneous trackers illustrate how quickly that inventory grows without oversight. A content security policy, a script-inventory audit, or a formal data-protection impact assessment — any one of these controls might have caught the problem in 2012, let alone 2024.

Human error compounds the technical failure. Somebody at each company approved or simply never questioned the marketing team's pixel deployments. That decision-maker likely did not understand what the pixel transmitted, to whom, or under what legal conditions health data can be shared. The 2023 Verizon Data Breach Investigations Report found that the human element contributes to 74 percent of breaches; misconfiguration and misuse are consistently among the top patterns. Training people to ask "what does this tool actually send, and to where?" before deployment is not a luxury — it is a control.

Organizations that handle health information need staff at every level — marketers, developers, procurement officers, executives — to understand that embedding a social media pixel on a medical page is a data-sharing decision with legal consequences. That is precisely the gap that structured security-awareness training is designed to close: building the institutional reflex to ask privacy and security questions before a tool goes live, not after a regulator issues an order.

What Defenders Should Take From This Ruling

Kind's decision establishes that identifiability does not require a name. Any data point that allows a company to single out and target an individual qualifies. That standard will likely influence regulators in the UK, EU, and Canada, where analogous frameworks exist.

For security and compliance teams, the immediate action list is straightforward. Conduct a full inventory of every third-party script running across your web properties — not just what your developers deployed, but what your marketing, analytics, and advertising platforms injected automatically. Compare that list against your published privacy policy. Any mismatch is a potential regulatory finding.

For websites that handle health, financial, or other sensitive categories of data, apply the principle of data minimization: collect only what you need, and only after informed consent. The NIST Privacy Framework provides a structured way to map data flows and identify where consent obligations apply.

If you are a patient who visited Monash IVF or Medmate between those dates, you can request deletion of any data Meta or TikTok hold about you through each platform's privacy settings directly. Neither company is required to notify individual users under the current ruling, but the deletion orders mean the health firms must erase what they retained.

The takeaway for every organization is blunt: your marketing stack is part of your attack surface. Treat every third-party pixel as a data-sharing agreement, because under an expanding range of privacy laws, that is exactly what it is.

How this could have been prevented

  • Audit your entire third-party script inventory — not just developer-deployed code, but marketing and advertising platforms — and document exactly what data each tool transmits and to whom.
  • Apply data minimization principles to every page that handles sensitive information: obtain explicit consent before any tracking fires, and review your privacy policy against your actual data flows at least annually.
  • Train marketing, procurement, and product teams to treat pixel and tracker deployment as a formal data-sharing decision requiring privacy review, not a routine campaign setup task.

Train2Secure's awareness programs build the organizational reflex to ask privacy and security questions before tools go live — the exact habit that could have prevented years of unlawful data collection at both companies.

Start free — no card required

Frequently asked questions

What is a tracking pixel and why is it a privacy risk on health websites?

A tracking pixel is a tiny piece of code embedded in a webpage that fires automatically when the page loads, sending behavioral data — including which pages a visitor viewed — to a third party such as Meta or TikTok. On health websites, those page views can reveal sensitive medical interests. No interaction, login, or explicit action by the visitor is required to trigger the data transfer.

Were Monash IVF or Medmate fined for this breach?

No. Australia's Privacy Commissioner Carly Kind issued orders to stop the tracking and permanently delete the collected data, explaining that penalty proceedings take years and provide no immediate protection. She made clear that financial penalties remain available if the industry ignores these findings.

How widespread is third-party tracking on health websites?

A government scan of 50 Australian health websites found that 96 percent used some form of tracking technology, and 77 percent of those deploying third-party trackers never mentioned the practice in their privacy policies.

What should organizations do right now to avoid the same regulatory exposure?

Conduct a full audit of every third-party script running on your web properties, compare the results against your privacy policy, remove any trackers on pages that handle sensitive data without explicit user consent, and ensure staff who procure or deploy marketing tools understand their data-sharing implications before deployment.

Ready to Reduce Your Human Cyber Risk?

Sign up and start training your team in minutes. No sales calls, no demos — just pick a plan and go. Phishing simulations, video courses, and certificates from day one.

train2secure analytics dashboard showing training completion stats and user progress