Healthcare

Navigating Cyber Risks in Healthcare: Pixel Tracking Technology

Introduction

With new cyber risks constantly emerging and evolving, pixel tracking technology has become a top-of-mind risk for healthcare organizations. These “tracking pixels” hidden on organizational websites facilitate the sharing of protected health information (PHI) with a third party, and many organizations may not even realize they have them. As this has become a focal point for litigation and regulatory scrutiny in recent years, understanding and proactively managing pixel tracking technology is imperative in protecting healthcare organizations against evolving cyber risks.

This report explores the multifaceted dimensions of pixel tracking, privacy concerns within healthcare facilities, the consequential impact on cyber insurance coverage, and actionable insights for risk mitigation.

Pixel Tracking Technology

Pixel tracking technology, commonly known as “tracking pixels,” serves a pivotal role in web analytics and online advertising by monitoring user activity on websites. These pixels often take the form of a piece of code embedded within web pages or emails, remaining invisible to users while seamlessly operating in the background. When a user accesses a webpage, the tracking pixel quietly loads from a remote server, discreetly gathering pertinent data such as IP addresses, browser types, and screen resolutions. This data is then transmitted back to the server for comprehensive analysis, providing valuable insights into user behavior.

The collected data serves a myriad of purposes, including website analytics, ad campaign optimization, and in-depth user behavior analysis. By leveraging this information, website owners and advertisers gain a profound understanding of how users engage with their content, facilitating informed decision-making and targeted strategies. According to an article published by the Markup in 2022, 33 out of Newsweek’s top 100 hospitals in America were using tracking pixels on their websites.¹

In recent years, pixel tracking technology has garnered significant attention from plaintiff attorneys, particularly concerning the unauthorized transmission of PHI from hospital websites to Meta without patient consent.² This practice has raised considerable concerns regarding HIPAA privacy compliance, making it a focal point of recent legal scrutiny and advocacy efforts. Baker Hostetler observed that over 50 lawsuits have been filed against health systems related to their use of tracking pixels since August 2022.³

Privacy Concern Incidents

Healthcare facilities’ public websites may inadvertently disclose PHI to third parties through embedded pixels, violating HIPAA privacy regulations by doing so without patient consent. This situation has led to an uptick in breach events or claims, with many healthcare institutions facing class-action lawsuits stemming from the presence of pixels on their websites.

Recent Major Breach Events

• Kaiser Permanente in 2024
  “Kaiser Permanente has determined that certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter) when members and patients accessed its websites or mobile applications,” the healthcare giant shared in an emailed statement.⁴ The breach impacted 13.4 million current and former patients.

• Cerebral in 2023
  In March, U.S. mental health startup Cerebral revealed that it had unintentionally collected and shared the private health information of over three million users with Facebook, Google, TikTok, and other major advertising companies through tracking pixels.⁵ The company claimed its use of pixel trackers did not breach HIPAA regulations, as it merely connects patients with healthcare providers and does not directly offer care itself.

• Advocate Aurora Health in 2022
  In October 2022, Advocate Aurora Health experienced a data leak linked to its use of tracking pixels from Google and Meta, affecting nearly three million individuals.⁷ In September, Advocate Aurora Health agreed to pay over $12.2 million to settle a class-action suit over the pixel-related data breach.⁸ Several similar lawsuits against health systems and vendors are pending.⁹

The Federal Trade Commission (FTC) has also taken an active interest in how healthcare organizations share patient information with mobile health apps, given that these entities have historically operated outside the purview of HIPAA regulations. In March 2023, the FTC initiated enforcement actions against GoodRX and BetterHelp for their practices involving the sharing of patient health data through third-party tracking pixels, enabling the analysis and inference of user activity — an indication of the growing regulatory scrutiny in this area.¹⁰

Coverage Impacts

Aware of this vulnerability, some cyber insurance carriers have begun implementing limitations or restrictions on coverage. These restrictions have come in the form of “website tracking exclusion” endorsements on their policies. Such endorsements explicitly exclude coverage for indemnity and defense for claims related to a breach of PHI when pixel or code-tracking technologies were involved. However, there are still cyber carriers who may be willing to underwrite this exposure when proper controls are in place. There may also be some coverage for this exposure in other insurance policies.

Risk Mitigation

To address the risk of pixel tracking technologies effectively, organizations can take the following proactive steps:

• Collaborate with your IT team to conduct a thorough review of pixel technology deployed on your public-facing website and those utilized by third-party vendors or health apps. This review process may involve leveraging external search tools ensure comprehensive scrutiny.
• Bring together leaders from the organization’s IT and marketing teams to develop appropriate guidelines and policies regarding the information collected and its intended use. Consider using the FTC’s research questions as a template when evaluating how pixel tracking is deployed at your organization.
• Provide targeted training sessions for marketing and communications personnel to raise awareness about the potential HIPAA privacy and security implications associated with utilizing tracking pixels. If employing tracking technology, consider implementing consent mechanisms or authorization protocols for the sharing of PHI and whether disclosure is allowed per state and federal regulations.
• Conduct a thorough assessment of your current cyber insurance policies with a seasoned insurance broker. Identify any coverage exclusions or limitations related to pixel tracking and explore alternative coverage options available through other property and casualty policies if necessary.

A Final Word

As cyber risks continue to evolve, healthcare organizations must stay vigilant about emerging threats like pixel tracking technology. This report provides a comprehensive analysis of the privacy concerns and cyber insurance implications associated with pixel tracking in healthcare. By understanding the multifaceted dimensions of this technology, including its impact on HIPAA compliance and the resulting legal scrutiny, healthcare facilities can better prepare to mitigate these risks.

The rise in class-action lawsuits and the implementation of “website tracking exclusion” endorsements by some cyber insurance carriers highlight the critical need for robust risk management strategies. Organizations can no longer overlook the importance of proper controls and proactive measures to safeguard patient information and ensure compliance with privacy regulations.

Equip your organization with the knowledge needed to navigate the complexities of cyber insurance coverage and enhance your cyber resilience in the face of emerging threats.