Privacy, Application security, Identity

Most hospital websites routinely transfer patient data via tracking tools

Google

Nearly all (98.6%) hospital websites leverage third-party tracking code that routinely transfers patient data to large technology companies, social media giants, advertising firms, and data brokers, in likely violation of federal privacy laws, according to new research published in Health Affairs.

Since the upheaval of Roe v. Wade by the Supreme Court, Congress has increased scrutiny over the privacy and security of individuals online with a particular focus on tracking tech that could reveal users' digital identities. That includes geolocation data that could tie an individual to their use of health services like abortion. Tracking tech has heightened those concerns.

“Hospitals are facilitating the profiling of their patients by third parties,” researchers wrote. “These practices can lead to dignitary harms, which occur when third parties gain access to sensitive health information that a person would not wish to share.”

Researchers from the University of Pennsylvania and Carnegie Mellon used descriptive statistics and regression analysis to determine the hospital characteristics tied to a greater number of third-party data transfers and found trackers on health systems, hospitals affiliated with medical schools, and hospitals serving more urban patient populations.

Nearly all of these provider organizations exposed visitors to higher levels of tracking, through the use of third-party tracking code on their websites. In doing so, patients are likely seeing an increase in targeted health-related advertising.

The latest study reaffirms previous third-party research published nearly one year ago that exposed the presence of Google and Facebook pixel tracking tools on the websites of some of the largest health systems in the country.

The scraping of hospital data spurred a host of lawsuits against the health systems and Meta, and an ever-growing list of breach notices to impacted patients. As SC Media previously examined, it’s likely the marketing teams that placed these analytics tools on hospital websites were unaware the pixels were creating possible privacy violations and exposing patient data.

While the 2022 pixel research confirmed the prevalence of third-party tracking on health-related websites, the researchers sought to understand the quantity and characteristics of these tools given that for many patients, “these websites are an essential point of contact to the health system.” 

The researchers examined all U.S. hospitals, or 6,162 websites, including 3,747 identified non-federal acute care hospitals with accessible websites. Nearly all had at least one third-party data transfer and 94.3% had at least one third-party cookie.

The most common tracking entity among these hospitals was Alphabet, the parent company of Google, with 98.5% of all home pages reporting third-party transfers. Meta was the second most common third-party with 55.6% of all transfers, followed by Adobe Systems (31.4%) and AT&T (24.6%). 

Notably, the researchers found that 69% of hospital homepages transferred data to third-party domains, of which the parent company could not be identified.

“Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed website visitors to more third-party data transfers,” according to the report.

What’s more, a manual search of 100 randomly sampled hospital websites tied to six potentially sensitive conditions yielded 30 websites with patient-facing pages for all six conditions — and every single one of these pages had at least one third-party data transfer. Researchers found similar tracking on hospitals homepages.

“The amount of tracking on condition-specific pages was highly correlated with tracking on the homepage of the same hospital,” researchers wrote.

What’s more, the researchers found a high number of entities transferring data to third parties as part of their “business models built on identifying and tracking people for the purposes of targeting online advertisements.”

For example, Alphabet doesn’t sell data to third parties, but “allows targeted advertising through profiles, including the targeted promotion of prescription drugs.” While less prevalent companies have practices that have allowed lists of patients with certain disease types and their data, including their contact information to be available for purchase.

“Because little is known about the precise ways in which third parties use tracking data, the implications of extensive third-party tracking on hospital websites remain unknown but are potentially far reaching,” researchers wrote. “Health-related information inferred from browsing behavior also may be incorporated into risk scores.”

“Patients who visit hospital websites may see greater levels of online targeted advertisement for pharmaceuticals, medical supplements, and insurance products that potentially conflict with best practices or the advice of their physician, drive low-value health care spending, or substitute for more effective cures,” they continued.

Functionality should not come at the expense of patient privacy

The use of Pixels and other tracking tools are increasing the legal liability for hospitals, as well. Within the last year, hospitals that have reported inadvertent disclosures of patient data to third-party brokers have been promptly met with lawsuits from the affected patients.

But before the risk of pixel-tracking tools was broadly exposed, Mass General Brigham and the Dana-Farber Cancer Institute settled with a group of patients for $18 million to resolve claims these hospital networks did not gain consent to use third-party tracking tools, like cookies and tracking pixels, on their public-facing websites.

What’s clear is that hospital policy makers need to address tracking use on health-related websites, including auditing webpages to either limit or eliminate third-party tracking. If a decision is made to continue use of these tools, hospitals must clearly disclose it on the website and give patients the ability to opt out of the process completely.

As outlined in HIPAA and reaffirmed by the Department of Health and Human Services, “any third-party tools installed should also have their privacy policies reviewed by a hospital’s legal department in conjunction with a patient representative to ensure that the policies meet the hospital’s legal and ethical obligations to protect patient privacy.”

For entities not covered by The Health Insurance Portability and Accountability Act, the FTC has signaled it will continue to leverage its authority to crack down on these ‘egregious’ privacy practices, as seen with the enforcement actions against BetterHelp and GoodRx.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds