Recent letters were sent to hospitals by the US Department of Health and Human Services and the FTC, warning them that using web tracking technology on their websites could violate HIPAA. This latest action builds on top of previous regulatory and legal activity that began in March of last year, when The Markup published a study of hospital websites using the Meta pixel, potentially violating HIPAA. That investigation spurred a wave of class-action lawsuits, reported breaches from Hospital Systems, and significant fines from the FTC (including BetterHelp and GoodRx).
So, despite all the warnings, where does the issue stand today? Have hospitals acted to fix their websites and prevent patient data collection?
We Found the Meta Pixel Still Running on Hospital Sites
We looked at 22 hospitals named in class-action lawsuits for using online trackers in 2022 and early 2023. To our surprise, two of the hospitals still have the Facebook pixel on their websites, with one having it on hundreds of pages including the contact and billing pages, collecting data from the site search, and on pages that highlight certain practice areas or symptoms.
This highlights precisely the issue with managing these tracking tools. Often, organizations may think they have visibility into everything on their site, but many pages can get lost in the shuffle due to how the organization is structured; different teams may handle different parts of the business, one-off campaign pages can be forgotten about; e.g., a separate team may manage content for cancer vs. primary care, research vs. treatment, etc. And those teams may deploy different technologies on their related web pages, which is likely the case here. Or it’s possible that the owners switched hands, which went forgotten or undisclosed.
Manually trying to keep track of this type of information for organizations with thousands of pages on their websites and who launch campaigns frequently can make it nearly impossible to say a website is free of these risks confidently. That is why a set of tools that automatically do this for you can be a complete game-changer.
But what about other trackers? Did they take it a step further and remove other trackers from their sites as a precaution? We found that the majority – 62% – still have Google Analytics on their site. This technology was explicitly mentioned in the Office of Human Rights bulletin in December of 2022 as a technology that collects PHI and can violate HIPAA rules when misconfigured. While not expressly named in a lawsuit or letter, 81% of the websites have the DoubleClick pixel, which is used for improving ad targeting as well as embedded in YouTube video features (DoubleClick and YouTube are also Google-owned properties).
Lastly, what about other tools recently named in litigation?
We’ve been keeping a close eye on website privacy-related lawsuits and have seen a surge in cases related to session recording tools (e.g., Hotjar, CrazyEgg, LogRocket) across all industries for allegedly illegally recording visitors’ behavior and interactions without their knowledge or consent. Another issue is that these tools can sometimes record sensitive data, like information typed into forms or search bars if the masking functionality isn’t properly configured. We found that 38% of these sites use session recording tools.
Are all hospitals taking note of this warning, even those not facing legal action? We analyzed the trackers on 20 additional hospitals’ websites, and found that:
- 60% had Google Analytics
- 25% had the Facebook pixel
- 30% had session recording tools
- 80% had Doubleclick trackers
Children’s Hospitals and Their Tracking Behaviors
Lastly, we were curious about hospital systems that focus on the collection of another vulnerable group: children. We haven’t seen (yet) violations of COPPA concerning these online website trackers – but could we? COPPA requires notification to parents about collecting and using their children’s data under the age of 13. We tested out a few children’s hospital sites to see what data collected on a site may indicate this data belongs to a minor – and found that several sites allow users to request an appointment where personal data, including birthdate, medical conditions, etc. is collected on a page with embedded trackers. Parents must be notified of where that data is being collected and going.
We looked at the ten largest children’s hospitals by revenue and found on their websites that:
- 50% had the Facebook pixel
- 90% had Google Analytics
- 50% had the BlueKai tracker
- 50% had session recording tools
- 100% had Doubleclick trackers
Overall, it’s clear that these organizations have work to do to ensure their websites are safe and compliant. As we mentioned in the examples above, it can be challenging to identify and mitigate these risks. There are even more trackers that “piggyback” on others and get access to the same data received by the tracker that they’ve attached to.
The way to stay on top of these trackers is to automate the inspection and real-time blocking unauthorized third parties. Marketing, security and privacy teams should pursue tools to help them consistently audit, monitor, and block unauthorized trackers and ensure that proper consent tools and privacy policies are up to date.
Ian Cohen
Ian Cohen is the CEO of LOKKER.