So nobody checked
""We learned that pixels or similar technologies installed on our patient portals … transmitted certain patient information to the third-party vendors that provided us with the pixel technology,""
You're saying that, in an intrinsically sensitive data environment, you didn'y bother to verify the funtionality of your portals? Taking for granted whatever a third party web dev delivers is not sufficient, particularly as said third party web devs are in the habit of not verifying the functionality of the fourth party or library widgets they apply to commissioned sites.