In October, non-profit health system Advocate Aurora Health notified patients of a data leak related to its use of tracking pixels from Google and Facebook’s parent company Meta. These technologies, installed on the company’s patient portals, transmitted personal health information (PHI) to the third-party companies providing the pixels.
Tracking pixels are 1x1 pixel-sized graphics, generally invisible to the user and embedded into websites, ads, and emails. They’re used mainly to collect data about user behavior -- like readership patterns and newsletter engagement -- and send that data to an external server.
Tracking pixels are commonly used for marketing purposes, but Advocate Aurora Health is not the first health system to experience a PHI leak related to the use of this technology.
Using Tracking Pixels in Healthcare
Advocate Aurora was using tracking pixels to “better understand patient needs and preferences to provide needed care to our patient population,” according to the health system’s data breach notification. And it is not alone.
WakeMed, a health system based in Raleigh, North Carolina, placed pixels from Facebook on its website and its MyChart patient portal in March 2018. It disabled the use of pixels in May 2022, but this month, it reported that information entered into its patient portal and scheduling page may have been sent to Facebook.
In August, Novant Health, also based in North Carolina, notified patients of the possible disclosure of PHI related to use of Meta tracking pixels.
In each of these incidents, the health systems reported that the disclosed information, for the most part, did not include Social Security numbers or financial information. Rather, the PHI disclosed included information such as email addresses, IP addresses, and scheduling details. The Aurora notification states that appointment/procedure info and patient communications on MyChart might also have been exposed.
This series of similar incidents calls into question the role tracking pixels play in healthcare, a sector rich with information valued by cyberattackers.
“Consumer activity tracking for the purpose of marketing is not a fit for the health sector,” Mike Hamilton, CISO of cybersecurity firm Critical Insight and former CISO for the city of Seattle, argues. “Because of regulatory oversight by the [US] Department of Health and Human Services, as well as the privacy statutes coming out of states, like the California Consumer Privacy Act, this is not information that is germane to the health sector mission, and its possession creates significant liability.”
These breaches could have been prevented with the use of a different kind of technology, according to Hamilton. “This could have been prevented by the use of other analytic tools to understand patient usage rather than a marketing technique that is designed to gather and share so much information that is outside the scope of the intended purpose.”
“At least dozens of the nation's top hospitals use tracking pixels for millions of patients. That may be changing fast due to new laws and lawsuits that will force organizations to change course drastically,” Paul Innella, CEO of TDI, a global cybersecurity company in the banking and healthcare spaces, tells InformationWeek.
Class action lawsuits, like the one filed against Meta and the University of Pittsburgh Medical Center (UPMC), have sprung up in the wake of breaches related to pixel use by health systems. Chicago hospital Northwestern Memorial Hospital is facing a similar class action lawsuit related to its use of Meta pixels.
Advocate Aurora Health, WakeMed, and Novant Health all disabled the tracking pixels following their respective data leaks. WakeMed “has no plans to use it in the future without confirmation that the pixel no longer has the capacity to transmit potentially sensitive or identifiable information,” according to its news release.
While these incidents are a cautionary tale, tracking pixels are likely still in use at other health systems. “Organizations deploying tracking pixels need to do their due diligence to ensure PHI is properly secured and only authorized users have access,” says Oscar Miranda, CTO for healthcare at cybersecurity company Armis.
Additionally, Innella advocates for board-level involvement when it comes to these kinds of data exposures. “In the case of this particular breach, hospital board directors should be demanding answers. Which third-party tech and add-ons are we using? Have they been reviewed and approved, to include any settings, from a security and risk perspective?" he says.
Cybersecurity Vulnerabilities in Healthcare
Pixels are tools for understanding user behavior, which in turn can help health systems with targeted marketing. But the healthcare industry must balance the use of innovative technology with both regulatory compliance and patient trust. Misconfigured tracking pixels put health systems at risk of violating HIPAA, as well as state and federal privacy laws, according to Miranda.
“This instance is indicative of a large trend in the healthcare industry, as innovation increases and new tools are implemented into care practices, it's essential that these connected medical devices do not go unmanaged with outdated software and vulnerabilities left unpatched,” he says.
A total of 337 data breaches impacting 500 or more patient records were reported in the first half of this year, according to the 2022 Mid-Year Horizon Report: The State of Cybersecurity in Healthcare from healthcare cybersecurity company Fortified Health Security.
The use of pixels is just one potential vulnerability in an industry with a growing attack surface fueled by the adoption of technologies like IoT and IoMT.“This latest breach is yet another unfortunate reminder that cybersecurity across healthcare is an ongoing challenge; the funding and expertise isn’t where it needs to be, and stakeholders are realizing how they could benefit from implementing a cybersecurity performance management mindset,” says Innella.