ECRI Warns Healthcare Providers About Third-Party Tags Like Meta Pixel
About a third of the top US hospitals are found to be sending sensitive data and PII to Facebook. Reflectiz investigates as the story unfolds.
A data breach in the healthcare industry has become very common. It seems that healthcare organizations are struggling with visibility and control over their third-party analytics tools like Meta pixel.
Meta pixel is a small piece of code, placed on a business’ website to measure the effectiveness of advertising. However, working behind the scenes, the data that Meta pixel collects has come under some serious scrutiny, and patient-safety-focused nonprofit ECRI has released an alert for healthcare organizations and hospitals to take steps to reduce the threat.
Who has been impacted by this Meta pixel data breach?
Unlike other cyberattacks, that often rely on cybercriminals launching a targeted threat against a business or a supply chain partner, the risks of third-party tags are much wider.
A great representation of this is a study completed by The Markup, which tested the websites of the top 100 hospitals in the United States. In 33% of cases, Meta pixel was found to be sending a packet of data to Facebook whenever a doctor’s appointment was scheduled online, data that has included the user’s IP address. The Markup found that Facebook was being given sensitive information inside this data packet, including the search terms related to the specific reason behind making the appointment, and even the doctor’s name.
Inside seven disparate password-protected patient portals, Meta pixel was also found to be sending Personal Healthcare Information (PHI) including the names of patients’ medications, and their upcoming medical appointments. According to The Markup, regulators, data security experts and privacy advocates have all agreed that these hospitals may well have violated HIPAA as a result of the actions of the Meta pixel.
How are healthcare organizations held responsible?
Hospitals are already seeing the fallout from loose controls over third-party analytics tools like Meta pixel. Two class action lawsuits have recently been filed on behalf of those who have had PHI disclosed without their consent as a result of Meta pixel. Advocate Aurora Health has said the PHI of up to 3 million patients may have been disclosed to Facebook, and WakeMed Health and Hospitals confirmed around 495,000 patients have been impacted via the MyChart patient portal.
The reputational damage of this kind of breach has high risks, especially as we’re dealing with the healthcare sector. For example, exposed patient data could be used to tailor advertisements to specific Facebook users based on their healthcare records. It’s extremely plausible that users could be encouraged to pursue less appropriate care, or even buy unproven treatments over the web.
Of course, even if healthcare organizations have no knowledge of the PHI breach, they could still be held responsible under HIPAA, and face steep fines and legal action. Providers need to be aware of their responsibilities to visualize and govern the third-party scripts and apps under their website roofs.
Chad Waters, senior cybersecurity engineer at ECRI commented “It is important to understand that many of these tools are free because their revenue model is dependent on building profiles of Internet users… Hospitals should review usage policies and be cautious on where these tools are deployed.”
What can healthcare organizations do?
Hospitals and those who handle sensitive healthcare information have only one choice. They can’t remove all third-party analytics trackers and tags from their websites entirely. It would make it impossible for them to benefit from essential digital interactions such as online appointment management and digital patient portals, as well as valuable information about user activities.
Instead, they need to get visibility and control over their third-party scripts, apps and tags that have access to patient information.
Here’s where Reflectiz comes in, providing an airtight solution for this growing problem, and enabling the secure use of third-party apps.
Executed remotely with no installation required, Reflectiz provides a thorough inventory of all third and fourth-party applications on your website, allowing you to see:
- Who are your digital vendors? Perhaps some are unnecessary, or legacy apps that should have been removed or altered.
- What are they doing? If any have access to PHI, so you can recognize the context of the risk level of each application, tag, or script.
- Where the data is being sent? Immediately be aware if any sensitive information is being sent to an unauthorized source without user consent.
Want to increase user trust, and secure patient data from end to end? Find out more.