Tracking Pixels and Another Big Health Care Breach

On April 12, Kaiser Permanente submitted notification of a breach to the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR).  

“Kaiser Permanente has determined that certain online technologies, previously installed on its websites and mobile applications, may have transmitted personal information to third-party vendors Google, Microsoft Bing, and X (Twitter) when members and patients accessed its websites or mobile applications,” the health care giant shared in an emailed statement.  

The technology in question? Tracking codes, also referred to as tracking pixels, embedded to understand how users interact with webpages and apps.  

Kaiser’s use of this technology and the subsequent breach isn’t the first of its kind. Health system Advocate Aurora and National Health Service (NHS) trusts, among others, have disclosed their own breaches related to the use of tracking pixels.  

Why do these kinds of breaches keep happening?  

The Kaiser Breach  

Kaiser is informing 13.4 million people, both current and former patients and members, of the breach. The breach was not caused by a threat actor with malicious intent, rather embedded tracking pixels in Kaiser’s website and mobile apps. The use of that technology meant the health care company was sharing information, such as individual’s names and IP addresses, as well as insight into how people were using its websites, apps, and health encyclopedia, with the third-party vendors.  

Related:How Ransomware Fallout Is Rippling Through the US Health Care System

In its statement, Kaiser noted that it was “ … not aware of any misuse of any member’s or patient’s personal information.” It also confirmed that it had removed the technologies in question from its websites and apps.  

Breach Fallout  

While the information of 13.4 million people may not have been misused, that personal information was still compromised. Scrutiny from the OCR could have an impact on Kaiser.  

“Depending on what the OCR finds, they'll probably [be] subject to fines and penalties … depending on the underlying issue, but with something this high-profile … with this many impacted individuals, I think they could expect to see some enforcement action,” Marc C. Lombardi, chair of the privacy, cybersecurity, and data Innovation practice group at law firm Shipman & Goodwin, tells InformationWeek.  

The individuals involved in the breach are also impacted. “People might see … targeted advertisements based on information that they didn’t know they were sharing with the marketing [companies] when perhaps the pixel provider was gathering information from their use of websites,” says Lombardi.

Related:What Security Leaders Need to Know About the ‘Mother of All Breaches’

The exposure of this personal information could also have consequences down the road: The more exposure, the more risk that this information does fall into the hands of bad actors.  

“And often with breaches, the initial foothold or actor may not have been nefarious, but it has real consequences when malicious actors pounce on it or the trust of the public is betrayed,” Joel Burleson-Davis, SVP of worldwide engineering at Imprivata, a digital identity security company, says in an email interview.  

With this breach calling even more attention to the use of tracking pixels and the potential privacy concerns, it is possible more legal challenges will arise. Google, Meta, and H&R Block, for example, are already facing a class action lawsuit regarding the use of tracking pixels.  

OCR Guidance 

The use of tracking pixels in health care and the potential conflict with the Health Insurance Portability and Accountability Act (HIPAA) has not escaped the notice of federal agencies. The OCR, which enforces HIPAA rules, released updated guidance for HIPAA-covered entities and any of their business associates using online tracking technologies on March 18.  

The guidance addresses the use of tracking technologies on user-authenticated pages, unauthenticated webpages, and mobile apps.  

Related:The Continuing Vulnerability of US Critical Infrastructure

It isn’t necessarily a black and white scenario in which all healthcare organizations should immediately cease all use of online tracking technology. “The guidance does create a pathway for use of these tracking pixels,” Lombardi points out.  

“One thing that … the guidance makes pretty clear is that the use of these tracking pixels on your authenticated pages is more clearly where PHI [protected health information] is involved,” he continues. “I would start by rethinking whether and why the tracking pixels are necessary on the authenticated, or the interactive pages, where you now know you have an individual who’s logged into your system.” 

The issue of tracking technology on unauthenticated webpages becomes murkier. When users aren’t logging in, webpages oftentimes do not have access to PHI. But that isn’t always the case. The OCR guidance offers the example of a webpage that allows users to check symptoms or schedule appointments.  

The potential risk of using tracking technology on unauthenticated webpages may not have been on the radar for a lot of healthcare organizations, according to Lombardi. “They were under the impression that there was sort of no protected health information being exchanged at the level of an unauthenticated page, but obviously the guidance sort of puts that on its head,” he explains.  

Any outside vendors that handle PHI on behalf of a healthcare organization are also subject to HIPAA rules. These vendors need to enter into business associate agreements with HIPAA-covered entities, according to the OCR guidance.  

Disclosure is a critical element of safeguarding patient data. Are individuals aware of how their data is being used and potentially exposed to third parties?  

“It’s in the best interest of big data companies that are buying and selling this data and using this data to not really education and inform,” Blair Cohen, founder and president of AuthenticID, a fraud prevention and identity verification solutions company, points out.  

In the wake of the Kaiser breach, other healthcare organizations can evaluate their use of tracking pixels and privacy policies. Are their consumers being informed? “Any covered or regulated entity that’s using tracking pixels should make sure that they review their privacy policies and their HIPAA notices of privacy practices to ensure that there’s disclosure there,” says Lombardi.  

Risk vs. Reward  

Are tracking pixels a useful marketing tool or a privacy nightmare? Answering that question requires health care organizations to weigh the risk versus the reward of using this technology.  

Healthcare organizations, such as Kaiser, are businesses, and the marketing insights provided by tracking pixels do have value in, say, improving patient experience.  

But first and foremost, healthcare organizations have an obligation to protect patient data. “Healthcare enterprises across the industry need to be very careful in terms of separating patient care activities and their marketing and branding activities,” says Burleson-Davis.  

Where is a healthcare organization using tracking pixels? What value do those pixels deliver? Is that technology sharing and exposing protected data with entities it shouldn’t be?  

“I would advise any of my clients to really weigh the benefits against the risks … of either inadvertently violating the privacy and security rule or having some form of a data breach grow out of an arrangement with a tracking pixel provider,” says Lombardi.  

As this type of breach continues to happen, scrutiny regarding the use of tracking pixels in health care is likely to mount. 

“Clearly, if there's a pattern here, it’s something that needs to be looked at and addressed. We can't just turn a blind eye if this has happened repeatedly using tracking pixels,” says Cohen.  

These types of breaches, like the one Kaiser experienced, are not necessarily due to a lack of regulatory clarity, according to Burleson-Davis. These incidents may stem from resource constraints.  

“Kaiser is one of the largest healthcare groups and is doing their best to protect their patients, and if they are strapped for resources, I think it’s safe to say this is an industry-wide issue,” he argues. “There needs to be more incentives and guidance from the government to help prevent these kinds of breaches.”