Updated May 2, 2023 – More than 50 lawsuits have been filed against hospital systems related to third-party pixel tracking since August 2022, according to a report from law firm BakerHostetler. For news about the Office for Civil Rights (OCR) be sure to read HIPAA Enforcement of Website Tracking Breaches. Finally, be sure also to read Pixel Tracking at Alcohol Treatment Centers.
Three more healthcare providers have reported HIPAA breaches caused by website pixel tracking technology.
Pixel trackers are used by big tech companies like Google and Meta (Facebook) to gather valuable personal information about website users, allowing the tech companies to sell to those users, or to sell the users’ personal information to other marketers. When a healthcare organization enters a contract with Google or Meta to enhance its website or strengthen its internet presence, they often unwittingly give those companies reams of protected health information (PHI), a potential HIPAA violation.
Over 9 million patients have been affected by publicly known pixel tracking breaches that we know of so far. Late last year we learned about four large breaches affecting a total of about 6 million. Recently a particularly large breach affecting over 3 million was reported by San Francisco-based Cerebral, Inc., a mental health service provider.
But the total number is much higher, because 9 million is the total from only five healthcare providers in the last seven months or so. Thousands of healthcare providers use pixel trackers on their websites, but only a few of them have disclosed whether breaches have occurred. In time, as providers evaluate their contracts with tech companies and see how website trackers are being used the number of patients affected will undoubtedly grow.
OCR Steps In
In the wake of the four large breaches reported last year, HHS’ Office for Civil Rights (OCR) which enforces HIPAA issued a bulletin on December 1, 2022. The bulletin explains the HIPAA risks for covered entities and business associates, with advice about what to do.
The Newest Pixel Tracker Breach Reports
The three most recent healthcare providers treating the website trackers as potential HIPAA breaches are New York-Presbyterian Hospital, UC San Diego Health and Brooks Rehabilitation. The total number of patients affected by the pixel tracking at these three providers is about 79,000 patients.
New York Presbyterian – nearly 54,400 individuals
In its breach notice NYP explained that in January it learned that certain information of patients requesting appointments or second opinions or initiating a virtual urgent care visit on its main public-facing website, www.nyp.org, was potentially accessed by NYP’s third-party technology service providers. The tracker “accessed IP addresses and the URL/website addresses of the pages visited, which may have included the provider name and specialty listed on NYP.org. In addition, certain tools were also able to access first name, last name, email address, mailing address, and/or gender…”
UC San Diego Health – 23,000 individuals
UC San Diego Health reported that an analytics tool it used for scheduling (from vendor Solv Health) may have captured names, birthdates, email and IP addresses, reasons for visits and insurance types from it used from September 13 to December 22, 2022. Upon discovery of the breach, UCSD Health discontinued use of the analytics tools.
Brooks Rehabilitation – nearly 1,600 individuals
Florida-based Brooks Rehabilitation, which provides services for neurological and other medical conditions reported its pixel tracker related breach on January 30, 2023.
The report explains that in December 2022 Brooks determined that tracking technology vendors it used had the capability to view or access individuals’ information when a user provided contact information or feedback via a Brooks website. The tracking technology may have transmitted names, phone numbers, email and IP addresses and information that users provided in a comment section.
Lawsuits are Multiplying
Meta is already defending multiple breach of privacy lawsuits related to its pixel tracker tools in healthcare settings. Cerebral, the mental health service provider mentioned above, is facing a class action lawsuit filed March 10, 2023 in federal court in the central district of California. The lawsuit alleges alleges Cerebral’s online healthcare platform secretly shared consumers’ information with Facebook, Google, TikTok and other third parties via hidden tracking pixels.
HIPAA Risk Management Supports Privacy
Review the OCR bulletin to make sure you understand your obligations and be sure to have business associate agreements in place with tech companies. Do your due diligence with the business associates and evaluate whether the technology tracks and uses patient data. The tech companies appear to be getting the message about HIPAA and healthcare providers, and are less likely to be using the pixel trackers going forward, at least in healthcare settings. But you may have a historical breach incident that occurred before the recent publicity.
Be thorough and check all the agreements related to your websites, past and current, to make sure you’re complying with HIPAA and protecting patient data.