Privacy, Supply chain, Application security

Healthcare’s Pixel problem: Meta-based marketing projects spur privacy questions

The Meta logo is displayed on a screen.
The Meta logo is displayed on a screen during a media preview of the new Meta Store on May 4, 2022, in Burlingame, Calif. (Photo by Justin Sullivan/Getty Images)

Reports that Meta’s Pixel tool was scraping health data from hospital websites has led to patient outcry, multiple massive breach reports from healthcare entities, denial from Facebook, and more than 50 lawsuits over the alleged privacy violations.

But one looming question stands: why would health entities use a tool from a company with a history of public privacy violations, including those involving health data?

The answer, it seems, is that the teams implementing these tools likely had no idea.

Marketing teams will commonly use tracking tools to assess user interactions on enterprise websites, which are compiled into reports that assess how long users are on certain pages, the effectiveness of marketing campaigns, engagement, and other helpful data points, Mike Hamilton, Critical Insight CISO, told SC Media.

The intent of using these technologies was to better understand how their patient portals were being used, Hamilton noted. The hospital analytics or marketing teams that deployed Meta’s Pixel tool likely “didn’t really understand” how the tool functions. Namely, that it appears to transmit all of this data gathered on patients and their behaviors to third parties.

What’s more, users simultaneously logged into Facebook and/or Google have been the most impacted because all of this unnecessary data “was transmitted back to them,” he explained.

For what it’s worth, Meta has denied it collects hospital data and is currently defending itself in multiple lawsuits brought against the company in light of the reports and three breach notices impacting about 4 million patients.

To Hamilton, this is why it appears these entities had no idea the data was being sent outside of their enterprise. “All they were told was, ‘Here's some technology that's going to provide you detailed information on how your portals are being used and how users interact with your sites.’”

They didn’t understand how it worked and “just thought it was great analytics that would get all this great information and did not know that health appointment history was going to be transmitted.”

The trouble is that there are a lot of other ways to do that than to “go to the Dark Lord of the Universe and use their tracking stuff for this, which is going to Hoover up all kinds of things that are superfluous to what you're trying to get done,” he added.

SC Media spoke with Hamilton and Andrew Mahler, CynergisTek’s vice president of privacy and compliance, to understand the risks of failing to consider technical or compliance issues when deploying new tools and what providers should do now if they’re using pixel tracking tools.

Patient experience requires necessary, secure technology

The reports spurred action from providers who now need to think outside of routine types of patient information disclosures under the Health Insurance Portability and Accountability Act, perhaps for the first time, explained Mahler. “This feels different because it's a little more difficult to really understand and have visibility into those transactions.”

The tracking issue underscores the importance of having a “comprehensive understanding of the ways in which third parties may either intentionally or inadvertently have access to data flowing through healthcare systems,” he added.

If entities want to use a similar tool, it’s important to assess what they’re hoping to gain from the particular technique — in addition to fully assessing how the tool works and how the data is shared, said Hamilton.

This scenario should serve as a warning for covered entities to “be thinking about third-party risk management in a much more detailed and holistic way,” Mahler stressed. It’s created “an opportunity for people to start thinking more creatively about how they're assessing their vendors, and what types of questions they're asking.”

In short, the vendor risk assessments providers send to third parties come with a set of standard questions, he continued. But entities must “go a lot deeper.”

But that will take entities breaking down silos and ensuring the compliance office or CISO is part of these projects, particularly on projects that seek “to aggregate data and figure out new ways to better track patients and promote better outcomes,” said Mahler.

As such, there needs to be a process to determine the right tool to use to accomplish patient engagement initiatives and bolster the care experience. Hamiton stressed that it’s an important goal, but it was just a poorly chosen tool.”

Providers need to be sure they’re only using tools that don’t repackage and sell personal data to “brokers because then it's all over the place,” he added. “As we know, we can buy location information from these brokers.”

The reality is that this Meta or Facebook issue may not have happened at all to these providers had the team tasked with choosing this tool asked the right questions of their patient portal tech, Meta, and third parties to notice, “‘Oh, gosh, there are some opportunities here for them to be collecting IP addresses and other types of identifiable data,” said Mahler.

Urgent need for hospitals to review websites

The initial reports on the alleged data scraping by Pixel noted that the tool was in use at many major health systems. But so far, only WakeMed Health, Advocate Aurora Health, and Novant Health have reported a Pixel-based breach to the Department of Health and Human Services.

Mahler noted that it may be due to risk management: “Some organizations may feel like the risk is minimal. In other words, they could be aware of it, but they may conduct a risk assessment, or they may ask some questions of the vendor, and they might feel comfortable.”

But it may also be a simple case where it’s just not on the radar of the security or compliance officer, even though it should be just because of the scale of these entities using this type of tracking tool.

Hamilton urged anyone reading this and wondering if they have also inadvertently disclosed patient data in this fashion, to ignore the trepidation and find out for certain. It’s likely a number of providers are worried about “falling on their sword” and are weighing “the risk versus cleaning it up, but they’re going to have to report.”

If an entity discovers they’re part of this privacy issue, it’s imperative to notify patients and assess current policies.

“The health sector in particular needs to look at its own policies around marketing because this is about marketing and gaining efficiencies so the portal is doing most of the work rather than interacting with people,” which “are in really short supply in the health sector right now,” said Hamilton.

The second most important policy issue is to educate staff of these types of risk. There will likely be a lot of other issues to come to light in the near future. And due to the alleged scraping and sharing with third-party data brokers, providers may also face FTC action even if they avoid an HHS audit.

SC Media recently reported multiple providers have faced FTC enforcement action over data security lapses that impacted consumer data, not to mention state regulators as well.

“There’s still more gas to be poured on this fire,” said Hamilton. While the impacted providers may not have known this activity was going on, someone on Meta’s team did know, if the data scraping indeed occurred — and if it was protected health information.

It’s unclear what happens with the data, but if they re-monetize the scraped consumer information, Hamilton warns “they're gonna get smacked, big time.” The social media giant has already been named in dozens of these lawsuits.

For now, hospitals that have implemented similar marketing programs should re-check the tracking tools they have in use to ensure they don’t fall victim to similar fates. Hamilton hopes that HHS will develop guidelines specific for marketing purposes, including a list of products that can accomplish these patient care goals and still maintain PHI privacy.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.