What are the risks?
Online tracking technologies are useful tools, but they expose healthcare providers to various risks. They collect user information to measure the effectiveness of advertising campaigns and help businesses improve their customers’ experience. Any business that uses tags or pixels from companies like Google, Meta, and TikTok are at risk of an inadvertent data breach, as misconfigurations so often lead to over-sharing, but for healthcare providers, the risk is even greater because cyber criminals know that protected health information (PHI) has a high resale value. Buyers can use it to commit medical services fraud, blackmail, identity theft, and more, and back in 2017, Experian estimated a single set of patient records was worth up to $1000 to sellers.
Whether a data breach is accidental or deliberate, the healthcare provider leaking PHI then faces the additional risk of attracting penalties for violating data protection rules (CCPA, CPRA, etc.), and HIPAA rules.
The Office for Civil Rights (OCR) recently updated its guidance on HIPAA-regulated entities’ use of online tracking technologies, saying that it must not lead to “…impermissible disclosures of PHI,” and that violations may lead to civil financial penalties.
So, in summary, the risks are:
Unauthorized Access to PHI
Tracking pixels can inadvertently collect PHI, such as IP addresses, browsing behavior, and other potentially identifiable information. If that data is not properly secured, it may be accessed by unauthorized individuals.
Data Leakage
Tracking pixels often send data to third-party servers. HIPAA requires third-party services do not have adequate security measures or if there is no Business Associate Agreement (BAA) in place (these set expectations on third parties around data protection), there is a risk that PHI could be leaked or misused.
Targeted Attacks
Cybercriminals might exploit vulnerabilities associated with tracking pixels to conduct targeted attacks, such as phishing or ransomware, by using the data collected to craft more convincing and personalized attacks.
Reputation Damage
A data breach involving tracking pixels can damage the reputation of the healthcare provider. Patients expect their health information to be kept confidential, and any breach can erode trust and lead to a loss of patient confidence.
Financial Costs
There will be regulatory fines, but a data breach can also be costly to clean up. Affected individuals must be notified, then there are also legal fees, credit monitoring services for victims, and potential legal settlements to cover.
Online Tracking Technologies in Healthcare – Download the full report for free
Who has been affected?
Kaiser Permanente
On April 12, 2024, healthcare consortium Kaiser Permanente disclosed details of a data breach that affected 13.4 million of its current and former members and patients who used its website and mobile apps. Tracking technologies shared names, IP addresses, and website interactions with vendors and advertisers, potentially allowing these third parties to link individuals with pages they were viewing and use that information to target them with related advertising.
Things like usernames, passwords, Social Security numbers, and financial details were not leaked, but while this wasn’t as bad as it could’ve been, it adds to the reputational damage caused by Kaiser Permanente’s previous breach that affected 70,000 patients in 2022. Attorneys are currently gathering patients to take legal action against the company in a mass arbitration.
Advocate Aurora Health
This healthcare system in Wisconsin and Illinois exposed the personal data of 3 million patients due to improper use of the Meta Pixel on its websites. It shared their sensitive personal and medical information with outside Facebook owner Meta and settled to resolve a lawsuit brought by victims at a cost of $12.25 million.
Community Health Network
This Central Indiana-based provider did the same, sharing data with Meta without permission, this time breaching the privacy of 1.5 million service users.
Cerebral
Online mental health care platform Cerebral aims to make high-quality mental health services accessible and affordable. Unfortunately, it also made the HIPAA-protected data of 3.1 million of its users available via tracking technology on its website and apps.
Online Tracking Technologies in Healthcare – Download the full report for free
What HIPAA says about online tracking in healthcare
The Health Insurance Portability and Accountability Act (HIPAA) addresses the protection of patient information, including how it can be used and disclosed by covered entities (organizations that must comply with HIPAA) and their business associates. When it comes to online tracking in healthcare, HIPAA has specific implications, particularly concerning PHI. Here are some key points to remember:
PHI Protection
HIPAA says that any personal health information that could potentially identify an individual must be protected. This includes data gathered through online tracking tools like cookies, web beacons, and others. However they collect PHI, they must make sure it’s protected.
Authorization
If a provider uses online tracking tools to collect PHI, it generally needs to obtain explicit patient authorization before sharing it or using it for purposes other than treatment, payment, or healthcare operations.
BAAs
If a healthcare provider uses third-party services for online tracking that can access PHI, there must be a Business Associate Agreement in place. This ensures that the third party understands and respects HIPAA requirements around protecting PHI.
De-identification
This is a slightly bureaucratic-sounding word that means anonymization. If the information collected through online tracking is anonymized to HIPAA standards, to the extent that it can no longer be used to identify an individual, then it stops being considered PHI and the HIPAA rules don’t apply to it.
Notice of Privacy Practices
Healthcare providers must include information about their use of online tracking tools in their Notice of Privacy Practices if these tools collect PHI. Patients should be informed about how their data is being collected and used.
Security Measures
HIPAA requires appropriate technical, physical, and administrative safeguards to be put in place to protect PHI collected through online tracking so that it isn’t leaked or stolen.
So, HIPAA requires that any online tracking of individuals that involves their personal health information must comply with its privacy and security rules, which include obtaining necessary authorizations, ensuring appropriate agreements with third parties, and implementing robust security measures.
How Reflectiz can help with online tracking
Reflectiz offers just such a ‘robust security measure’ that’s HIPAA compliant by nature because it scans for threats remotely and so can’t access patient records. It sees which tracking pixels are collecting end-users’ PHI and where that information is being sent, so you will immediately know if it’s going to an unauthorized source without their consent. It has many more enterprise level security features besides, but the best way to experience it is to get the free version now, access your dashboard in minutes, and make your organization HIPAA-safe, fast.
Online Tracking Technologies in Healthcare – Download the full report for free
Subscribe to our newsletter
Stay updated with the latest news, articles, and insights from Reflectiz.
Your Website looks great!
But what’s happening behind the scenes?
Discover your website blind spots and vulnerabilities before it’s too late!