In a similar fashion many UK GP Practices use https://www.practicewebsites.co.uk/ which is run by https://oldroydpublishinggroup.co.uk/
The Practice websites provided by this company include optional local advertising (to reduce the price for the Practice), I'm sure there is some degree of tracking as part of this.
I successfully complained to my GP Practice 3 years ago about the use of Google Analytics and other trackers - they did remove Google Analytics at the time but I just checked their website now and the buggers have added it back since then.
Practice websites hosted by the above company also seem to auto-generate Privacy Notices and at the time I pointed out numerous mistakes in them to the Practice - quoting laws that do not apply in Northern Ireland (English company, what do you expect), as well as some instances of "[insert org name here]" that showed how much care the Practice took of ensuring their various Privacy Notices were accurate...
"The link includes the name of the ailment in the URL. As the bulk of referrals to this page will come from the "patient access" medical records page, any tracker on this page can make a very safe guess about the medical conditions of the visitor."
I made exactly the same point regarding the Practice's website with its Google Analytics and other trackers. The response I received (which seems to have come from the company) was:
>>The ICO advisor we discussed this with said that, whilst the logging of the IP address of a website visitor and that they visited a page about a health condition would be enough to identify that the individual visited said page, it would not be enough to show this visit related to a condition that the individual themselves had, so it would be unlikely to class as special category data.<<
"An enterprising journalist might be able to get some mileage out of this."
I have been trying to get TheReg interesting in my ongoing battle with the Health Service in Northern Ireland regarding their large-scale and ongoing breach of Data Protection law since 2011 regarding the sharing of individuals' GP Practice records. However the Reg journalist in question didn't respond to my last email of August last year and so I stopped sending him further updates and revealing documents. I guess he lost interest as it was taking too long for me to expose things.
I'm still in a Kafka-esque situation where an org won't delete my health data (shared by my GP Practice) from a central system as the org claim (in 2022) they are only a Data Processor and only my GP Practice, as the Data Controller, can instruct them to delete said data, yet my GP Practice have told the ICO that they instructed said org to delete my data in 2020 and the org refused as "the data could not be removed and the pathway by which data could be removed was not established".
ICO are taking no action against my GP Practice (for losing control of their Data Processor) and have not yet decided whether to take action against the other org (a Data Processor refusing to follow a direct instruction from the Data Controller).