Getty Images/iStockphoto
How Did This Happen? Understanding the Issue of Third-Party Tracking Tech in Healthcare
Third-party tracking tech on hospital websites has resulted in numerous data breaches in the past year, prompting questions about how this tech can be used in a compliant manner.
In June 2022, journalists discovered that a third of Newsweek’s top 100 hospitals in America had the Meta Pixel installed on their websites, which allegedly sent a packet of data to Facebook whenever a visitor clicked a button to schedule a doctor’s appointment.
One of the news sources breaking the story, The Markup, also observed the Meta Pixel operating inside the password-protected patient portals of seven health systems, sending patient names, medication information, and appointment details to Facebook. Prior research indicated that third-party tracking tech was a potential privacy issue in healthcare and other industries. But The Markup’s article brought the prevalence of this tech on hospital websites to the forefront of the news cycle.
Following the article’s publication, an influx of breach notifications and lawsuits rolled in, with hospitals across the country admitting that tracking tech originally installed to measure and evaluate website visitor trends had inadvertently been disclosing sensitive information to tech companies such as Meta and Google.
Further research revealed that tracking tech is far more prominent on healthcare websites than The Markup’s initial findings indicated. A study published in Health Affairs in April 2023 found third-party tracking technologies on nearly all United States nonfederal acute care hospital websites.
In the year since these discoveries were made, healthcare data security and privacy experts have raised concerns not only about why this technology remains so widespread across healthcare, but why many hospitals were not even aware that this tech was quietly operating on their systems for years.
Understanding the root causes of this issue requires a deep dive into what this tracking tech promises to provide its customers, and the communication, technical, and regulatory gaps that contributed to this problem going unnoticed at some healthcare organizations.
What is Third-Party Tracking Tech, and Why Does Healthcare Use It?
According to Meta, the Meta Pixel is a snippet of JavaScript code that enables website operators to track visitor activity. The Meta Pixel can collect data on Http headers, button click data, form field names, and other values.
The pixel works by “loading a small library of functions which you can use whenever a site visitor takes an action (called an event) that you want to track (called a conversion),” Meta states. This activity can help organizations measure ad effectiveness, define custom audiences for ad targeting, and analyze the effectiveness of the website’s conversion funnels.
Although it catalyzed the discovery of this widespread issue in healthcare, the Meta Pixel is just one example of third-party tracking technology. Google and other tech companies offer similar solutions. Examples of other types of third-party tracking technology include cookies, web beacons, session replay scripts, and fingerprinting scripts are other examples of third-party tracking tech.
In a bulletin on its website, the HHS Office for Civil Rights (OCR) says:
“Generally, a tracking technology is a script or code on a website or mobile app used to gather information about users as they interact with the website or mobile app. After information is collected through tracking technologies from websites or mobile apps, it is then analyzed by owners of the website or mobile app (‘website owner’ or ‘mobile app owner’), or third parties, to create insights about users’ online activities. Such insights could be used in beneficial ways to help improve care or the patient experience. However, this tracking information could also be misused to promote misinformation, identity theft, stalking, and harassment.”
Hospitals may implement this tech to enable increased functionality and gain insights about their users. But failing to consider the security risks of these tools can put healthcare organizations and patient data at risk.
“I think it's probably the case that a lot of these tracking technologies end up on hospital websites without folks really thinking about it or thinking about the implications because they install them because they like the functionality that they offer,” said Matthew McCoy, assistant professor of medical ethics and health policy at the University of Pennsylvania during an episode of Healthcare Strategies. McCoy and his colleagues led the study published in Health Affairs, which revealed that the presence of third-party tracking tech on hospital websites was more widespread than previously thought.
These tools offer organizations key marketing insights, reporting capabilities, and effective measurements that are useful in the digital marketing space. But a lack of communication between marketing, legal, compliance, and IT teams across healthcare may leave an organization open to a myriad of privacy risks, as exemplified by the dozens of breach notifications stemming from this issue in the past year.
How Widespread Are Third-Party Data Transfers?
The April 2023 study published in Health Affairs revealed that 98.6 percent of more than 3,700 analyzed hospital website home pages had at least one third-party data transfer, and 94.3 percent had at least one third-party cookie.
Despite recent scrutiny against Meta, Alphabet (the parent company of Google) was the most common tracking entity among the hospitals in the sample, accounting for 98.5 percent of all third-party transfers on hospital site home pages. Alphabet was followed by Meta, Adobe Systems, and AT&T.
What’s more, the researchers found no discernable difference between the amount of tracking on home pages versus condition-specific pages, the latter of which have the potential to gather insights about a person’s medical conditions.
Meta’s Stance on Health Data Privacy
Meta’s website explicitly states that it does not want businesses to share sensitive health information about users with it.
“If Meta’s signals filtering mechanism detects Meta Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems,” Meta notes.
However, Meta also notes that it is the responsibility of organizations using Meta Business Tools (such as the Metal Pixel) to “fix any instances in which you might be sending Meta Business Tools data containing sensitive health-related information or prohibited user Contact Information as soon as you learn of them, in order to help you comply with Meta Business Tools terms.”
Despite these assurances, little is known about how Meta or other tech companies that operate tracking technologies are using or protecting the sensitive data that is sent to them.
The companies receiving this data may allow for targeted advertising geared toward a patient’s specific health concerns, such as pharmaceutical ads.
“These practices have led to lists of patients with particular disease types and their information, including their telephone numbers and home addresses, being available for purchase. Third-party tracking code on hospital web pages may facilitate these types of health-related tracking,” the study explained.
“Because little is known about the precise ways in which third parties use tracking data, the implications of extensive third-party tracking on hospital websites remain unknown but are potentially far reaching.”
While the potential impacts of these specific data transfers remain unknown, other healthcare data breaches have shown the damaging effects that impermissible disclosures of protected health information (PHI) can have on patients.
“Such disclosures can reveal sensitive information including health conditions, diagnoses, medications, medical treatments, frequency of visits to health care professionals, where an individual seeks medical treatment, and more,” HHS and the Federal Trade Commission (FTC) stated in a letter sent to 130 healthcare organizations and telehealth companies in July 2023 warning them about the risks of third-party tracking tech.
“In addition, impermissible disclosures of personal health information may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others.”
Beyond patient privacy harms, these disclosures can cause legal issues and noncompliance charges against healthcare organizations.
Lack of Communication Creates Compliance Gaps
The first step in ending this cycle of potential patient privacy harms is understanding the factors that contributed to this issue becoming so widespread – one of which is a lack of communication between marketing, IT, security, and legal teams, experts say.
“There has been a shift in the past three years where previously the marketing teams and the legal teams didn't have a whole lot of interactions except when the marketing team needed a creative claims approval or something like that,” said Sean Buckley, data privacy and technology lawyer and member at Dykema, in an interview with HealthITSecurity.
“But today, marketing and legal really need to be talking to each other. All of a sudden, we have a bunch of publicly facing websites that have pixels and tracking beacons on them that legal and privacy teams may not even know were there.”
As digital marketing teams leverage tracking tools to enhance their objectives, it is crucial to also loop in security, privacy, and legal teams to consider key privacy issues that may arise as a result of this tech.
“This is a prime example of lack of visibility, change control, communications, education, and risk assessments,” said Will Long, chief enterprise security officer at First Health Advisory and former CISO at the Children’s Health System of Texas. “There's a myriad of problems that all lined up and allowed this kind of exposure to happen.”
Sometimes, cybersecurity and IT teams do not have full visibility into everything that’s going on, Long explained. In other cases, there may be a lack of separation of duties and checks and balances in place to ensure that this tech is being implemented in an ethical, compliant, and secure manner.
As healthcare organizations continue to expand their reach by leveraging digital marketing tactics, these developments must come along with a clear communication structure within the organization to ensure that tracking tech does not fall through the cracks.
“It's just a fundamental breakdown in healthcare of who's managing the website? Does IT really have control over what's being installed in that web code? Are they outsourcing stuff and other organizations maybe managing some of that?” Long added.
“And it just boils down to not understanding what exactly that tracking software really doing and nobody really took a hard look at it because had they known, they would not have installed it.”
Third-Party Tracking Tech Points to Systemic TPRM Issues
Gaps in communication are potentially a symptom of larger issues surrounding technical process oversights and third-party risk management (TPRM) challenges, which have long been a pain point in healthcare.
“As far as I’m concerned, this is a third-party risk problem,” Long posited. “You installed something or transmitted something, you didn't know it, you didn't analyze your risk, which we would normally do with some large project in a healthcare system. So how did this slip through? Well, communication, change control, segregation of duties, all that stuff leads to not assessing your risk properly.”
Third-party data breaches accounted for the majority of the top ten largest breaches reported to HHS in 2022, some of which were directly tied to third-party tracking tech issues. As such, the third-party tracking tech problem may point to a more systemic TPRM challenge in healthcare, rather than a one-time mishap.
“There are so many ways installing a pixel tracker for analytics on a website doesn't feel like the same thing as installing software on everybody's PC, or putting some new application in the data center, or transmitting PHI or files to a third party,” Long added.
“It's managed differently. Sometimes it's outside of IT, and it's just a lack of visibility. It really comes down to everything that you install or do, you have to stop and assess the risk.”
Because third-party tracking tech may be implemented by marketing teams rather than IT, it may not go through the same channels as other tech. Tackling this issue requires an emphasis on upfront diligence, Buckley stressed. Specifically, Buckley advised healthcare organizations to conduct an audit of their site to determine every data flow coming from the site.
Long recommended that organizations take a hard look at their controls and ensure that they have visibility into exactly what any new tech brings to the table in terms of security and privacy risks.
Regulatory Gaps Leave Healthcare in a Grey Area
The complex and ever-changing nature of healthcare security and privacy cannot be understated. While it is the responsibility of healthcare organizations to assess third-party vendors and mitigate risk across the organization, it is also up to regulators to set clear guidelines for both technology companies that offer this tech and HIPAA-covered entities.
Following reports of data breaches stemming from third-party tracking tech, the HHS Office for Civil Rights (OCR) issued a bulletin in December 2022 to clear up confusion surrounding HIPAA standards.
“Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules,” OCR stated.
“For example, disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations, would constitute impermissible disclosures.”
OCR clarified that regardless of whether the tracking tech is present on user-authenticated or unauthenticated web pages, if PHI is involved, HIPAA rules still apply. OCR stressed the importance of having a business associate agreement (BAA) in place with all vendors that handle PHI in order to remain HIPAA-compliant.
“Further, it is insufficient for a tracking technology vendor to agree to remove PHI from the information it receives or de-identify the PHI before the vendor saves the information,” the bulletin continued.
OCR made its stance on the matter abundantly clear with the bulletin. However, experts have argued that HIPAA may not have the power to curb privacy violations related to third-party tracking tech on its own.
In a viewpoint article published in JAMA in June 2023, McCoy and his colleagues returned to their research on the widespread presence of third-party tracking tech in healthcare, this time focusing on the legal and regulatory implications.
“First, although the bulletin signals OCR’s intention to seek civil monetary penalties for HIPAA violations based on trackers, it is not legally binding. The OCR’s interpretation of HIPAA, particularly its views on unauthenticated webpage tracking, could be challenged legally,” the article stated.
“Second, even if OCR successfully imposes penalties for tracking-related violations, penalties are capped at levels relatively modest (just over $1.9 million per year) compared with health system budgets. Third, HIPAA does not have any private right of action, meaning that, although attorneys general can pursue violations in some states and individuals can file complaints to OCR, people cannot sue hospitals directly for HIPAA violations. That means that patients’ concerns that hospitals have violated their HIPAA rights will not translate directly into a flood of lawsuits against hospitals.”
In other words, HIPAA alone may not serve as enough of a deterrent to minimizing the risk of privacy violations stemming from third-party tracking tech.
State laws may come into play to make up for HIPAA’s shortcomings, as exemplified by a 2021 settlement in which Mass General Brigham agreed to pay $18.4 million to settle claims that the hospital had violated Massachusetts state privacy and wiretap laws by using trackers on its website without obtaining consent.
However, the case resulted in a settlement, meaning that it did not establish a legal precedent that would inform future cases.
While HIPAA-covered entities must comply with OCR’s bulletin, non-HIPAA-covered entities have to answer to the FTC. In 2023, the FTC reached two high-profile settlements with healthcare companies GoodRx and BetterHelp surrounding third-party tracking tech issues. Both settlements solidified the FTC’s commitment to enforcing against the improper use of third-party tracking tech.
“I don't think we should be depending on hospitals or any other kind of entity to fully solve this problem,” McCoy said during the Healthcare Strategies podcast.
"We need regulators to enforce laws that are already on the books to protect consumer privacy and patient privacy. And we need Congress to think about passing comprehensive privacy legislation that might address some of these issues at the root of the cause. But one optimistic finding of this work is that sure, there are those long-term goals, but there's no reason that hospitals can't start tomorrow doing things to help protect patient privacy.”
As regulators work to provide clarity and guidance on the role of third-party tracking tech, healthcare organizations will have to take steps internally to mitigate risk.
What Does the Future Hold?
“The safest approach in the current environment is to remove all tracking and analytics technologies on any healthcare website that might cause any web browsing data to be sent to a third party that is not a business associate,” said Paul Karlsgodt, partner at BakerHostetler and leader of the firm’s Privacy and Digital Risk Class Action and Litigation Team.
“However, taking that drastic measure has significant impacts on a healthcare institution's ability to effectively attract and communication with patients and meet other business and regulatory commitments.”
Karlsgodt noted an uptick in lawsuits surrounding third-party tracking tech. BakerHostetler’s 2023 Data Security Incident Response Report (DSIR) shed light on this trend – the firm observed more than 50 tracking tech-related lawsuits being filed against hospital systems in 2022, declaring 2022 “the year of the pixel.”
“Most of the early litigation focused on the use of Meta Pixel. We are now seeing litigation arising out of the use of other analytics and tracking technologies, such as Google Analytics,” Karlsgodt added.
As this tension continues, lawsuits will likely continue to surface, ideally answering key questions about how data flows through healthcare organizations and interacts with third-party tracking tech.
“If you work in compliance and the intersection of healthcare and advertising, you are going to be busy for the next year and somewhat foreseeable future because both HHS and the Federal Trade Commission and multiple other agencies have clearly put this type of tracking and ad measurement in their crosshairs,” Buckley predicted.
The plethora of lawsuits, along with media attention and concerns from patients, will likely incentivize hospitals to rethink their relationships with vendors that provide this technology.