Enshitification hits the patient portal: SimplePractice, tracking pixels, $4 billion dollars.

What SimplePractice Is Accused Of

Attorneys working with ClassAction.org suspect that SimplePractice had tracking pixels from Meta, Google, and TikTok embedded in their client portal: the pages where your clients were booking appointments, filling out intake forms, and messaging you. Similar lawsuits have cost hospitals and telehealth platforms over $100 million in related settlements since 2023, according to industry analyses.

As of March 2026, I could find no public denial from SimplePractice. We have all internalized the presumption of innocence, but that presumption was designed for citizens, not private equity-owned corporations. If these allegations are not true, why on earth wouldn't SimplePractice immediately and forcefully deny them?

In order to fully flesh this out, I'm going to first go into some detail about how these technologies actually work, and then into who SimplePractice is, and some other concerning things about the company's behavior and terms of service.

How Tracking Pixels Work

To see why the tracking pixels SimplePractice is accused of using are different from ordinary web tracking, it is helpful to distinguish them from the browser cookie, which has been a staple of the web since the mid-1990s. A cookie is like a digital passport stamp, a small file stored locally on your device that a website checks to remember your session. While cookies are frequently exploited for tracking, they are at least visible: you can see them, delete them, and nominally opt out. They also make the web more useful, because a website can remember you and your preferences, or the items in your shopping cart.

A tracking pixel is much worse, and does nothing for you. It is a snippet of JavaScript that fires the moment a page loads, transmitting your IP address, your device identifier, and your real-time behavioral data directly to a third party. You cannot delete a pixel, and you cannot opt out because its execution is invisible. Incognito mode doesn't protect you: it prevents your browser from saving your history locally, but it does nothing to hide your IP address or device identifier from the tracking pixels embedded in the pages you visit. A VPN doesn't protect you: it masks your IP address but not your device identifier, which can be reconstructed from your browser type, screen resolution, operating system, and other technical characteristics. Security first browsers like Brave don't protect you: while they disguise your device fingerprint, sophisticated trackers can still re-identify Brave users across sessions by combining GPU information with timezone data.

For a therapy client logged into an authenticated portal who has ever used Facebook on that device, the pixel has transmitted everything Meta needs to identify them: who they are, and that they are a mental health client. The HHS Office for Civil Rights has made it clear that this combination constitutes protected health information.

Meta runs its pixel on millions of websites and uses it to build behavioral profiles of people across the internet, whether or not they are logged into Facebook. A company you pay to protect your clients' health information should protect your clients' health information. Instead, SimplePractice is accused of feeding it to the same company that tracks your clients across the rest of the internet.

The use of hidden surveillance tools like tracking pixels is unfortunately now standard practice for a publicly traded software company under pressure to demonstrate that every marketing dollar converts. Pixels close the attribution loop, the chain that connects ad spend to a completed booking, allowing leadership to prove that every marketing dollar is producing trackable results. Within that logic, your clients' presence in the portal is a data point in a conversion funnel, and the clinical relationship is infrastructure for someone else's balance sheet. We cannot allow that logic to colonize the holding environment. The therapeutic container depends on the premise that our clients' trust will not be exploited, and that premise was being violated at the level of the patient portal itself, before the first session even began.

To be clear, so far I have only been talking about SimplePractice sharing the fact that a client was visiting a mental health patient portal, not about the data within the SimplePractice EHR. There is no evidence that that data has been shared with Meta, Google, or TikTok.

SimplePractice's Terms of Service and the $4 Billion Sale

Unfortunately, there's also a concerning issue regarding how that data will be used by SimplePractice and its parent company. Get a load of this timeline:

August 2023: SimplePractice sent an email to customers stating they had two weeks to accept a new Terms Of Service, or they would be locked out of their accounts. The new terms included this language in section 9.2:

"You hereby automatically at such time grant SimplePractice (and its affiliates) a non-exclusive, worldwide, royalty-free, fully paid-up, perpetual, irrevocable, sublicensable (through multiple tiers), and transferable license to use, reproduce, distribute, prepare derivative works of, perform and display such User Data, for the purposes of providing you the Services and further developing, improving, and marketing SimplePractice's products and services, it being understood that the results generated from use for purposes other than providing the Services are not identifiable with the Organization or any natural person."

Notice your tendency to glaze over when you see language like this. Go back and read it out loud, slowly. Feel how totalizing it is. There is no use of your data it does not claim. There is no geography it does not cover. There is no future in which it expires.

They also added a class action waiver, meaning users cannot sue them collectively. SimplePractice framed all of this publicly as a response to "recent case law and changes in state privacy laws."

Also in August 2023: SimplePractice announces the acquisition of Luminello, a psychiatric EHR.

October 2023: EngageSmart, SimplePractice's parent company, announces it has agreed to be acquired by Vista Equity Partners, a private equity firm that invests exclusively in software and data companies, for $4 billion.

January 2024: The deal closes. SimplePractice goes private.

Vista Equity Partners is not a healthcare company. It is a data company. What they acquired for $4 billion includes the data rights SimplePractice locked in two months before the deal was announced. SimplePractice's updated terms granted them a perpetual, irrevocable license to use and prepare derivative works from your de-identified clinical data, including for developing and marketing new products, even after you cancel your account. That has commercial value. Expanding those rights before a sale increases the valuation of what is being sold. The class action waiver protects the investment from the exact litigation now being pursued. Vista is not the first private equity firm to acquire a healthcare EHR and build analytics products on top of clinical data. It is the playbook.

The terms would allow them to build population health analytics products they could sell to insurers, who use aggregate treatment data to make decisions about what care they will authorize and for how long. Do you trust them not to? The terms would allow them to build benchmarking tools sold to hospital systems, creating industry standards from private practice data that could be used to evaluate and pressure individual clinicians toward higher caseloads and shorter treatment. Do you trust them not to? They would allow them to build an AI therapist trained on the clinical patterns of 200,000 practitioners and millions of their clients. Do you trust them not to?

The interface is the product they want you to fall in love with. The terms of service are the product they actually built.

I chose SimplePractice when I went into private practice because the interface was genuinely good. I have a very vague memory of some feelings regarding a terms of service update in 2023, but I guess I put it out of my mind. That was a mistake I now own. Somehow I ended up paying for a platform that was supposed to support my work, only to discover that my subscription fees were funding the acquisition of a perpetual right to extract, package, and sell insights from my clinical work and from the intimate details my clients trusted me to protect.

Now What?

Here are specific things you can do right now, regardless of what platform you are on.

Share this post with anyone you know who is still using SimplePractice. Forward it to them, and then follow up and actually talk about it. Respectful, supportive peer pressure is how we maintain ethics in our field.

Post about it on LinkedIn, or engage with posts I've already made there about it.

Call CAMFT. Their member services line is (888) 892-2638. Ask them two questions: why SimplePractice, which pays CAMFT for CEPA continuing education provider status, still holds that approval while the pixel tracking litigation is active, and who in the organization is responsible for addressing the commodification of therapy. Ask which committee or staff member is leading that work, and whether you can speak with them directly. You don't need to be confrontational. The questions are the point. If enough members ask them, it creates at least the conditions for a response. I plan to write more about CAMFT's role in this soon.

Read your own EHR's terms of service, whatever platform you are on. Look for the scope of the data license: is it limited to providing you the service, or does it extend to preparing derivative works from your clinical data? Is there a class action waiver? Is there a clear statement about what happens to your data when you cancel? These are not fine print questions. They are clinical ethics questions.

If you are on SimplePractice, I think you should leave immediately.

When I found out about the lawsuit a month ago, my instinct was to contact every client who had ever used my portal, including people I'm no longer working with, and tell them what I understood to have happened, with a link to the class action lawsuit page. I was ready to send that email, but I called CAMFT first. The attorney I spoke with managed to talk me out of going full nuclear, and I think rightly pointed out that this was premature until the lawsuit is settled, and might cause unnecessary distress for my clients. She suggested if I no longer trust SimplePractice, to immediately switch platforms, and simply inform my clients that I am doing so. This isn't the first time my revolutionary zeal has been contained in consultation.

One option is to go back to paper. This is worth considering, and I know therapists who are doing it. However, if you work with insurance, supervise associates, run credit cards, or maintain HIPAA-compliant records, you need practice management infrastructure.

Not all companies are equivalent. Some are venture-funded and answerable to investors who see your clients' data as an asset. Some are publicly traded and answerable to quarterly earnings. Some have been acquired by private equity and are now answerable to none of the above except return on capital. And some are just a company making money from a product they built, without outside investors to satisfy. That distinction matters, even if it doesn't guarantee anything. Choose carefully. Look at who owns the company and what their incentives are. Notice whether the data license is limited to providing you the service or whether it extends to preparing derivative works from your clinical data in perpetuity. Notice whether there is a class action waiver.

I switched to Sessions Health

I tried Sessions and Jane, and Sessions won on user interface, terms of service, and on price, so it wasn't a hard choice for me. It was co-founded by a psychotherapist and built specifically for mental health practice. Their Terms of Service are explicitly limited to providing you the service. There is no perpetual irrevocable license. No derivative works. Their Trust Statement says they do not use your data for AI training, and no AI feature is active in your account without your explicit consent. It also pledges to destroy your data when you cancel, but the TOS uses softer language, which is worth noting. These are the things SimplePractice's terms would permit that Sessions Health's terms explicitly prohibit.

The trust statement also says they will not share data with government entities except under court order, which is important because DHS has been issuing administrative subpoenas to tech companies including Google, Meta, and Reddit demanding user data, and those companies have been complying. SimplePractice has made no public statement about how it handles such requests.

I am choosing to trust this company with my clients' data...for now. Read the terms yourself. And when they update them, read those too.