Privacy and Security Concerns with Third-Party Tracking Technology

Evolving Landscape of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” While, broadly speaking, this is likely not a new concept for most regulated entities, but the idea of “individually identifiable health information” (IIHI), which includes demographic information related to a patient seeking or receiving health care may be a new or misunderstood concept for many in the field.

Note: PHI is a subset of IIHI. Some examples of IIHI are a medical record number, home or email address, dates of appointments, medical insurance IDs, medical device IDs as well as an individual's IP address or geographic location. Given that IP address is a fundamental part of how internet traffic works and is sent each time a user visits a new webpage, this has been where most of the debate has been. Specifically, because the IP address can be used to determine an individual's general location.

The Privacy Perspective on the Issue

• Email addresses

• Phone numbers

• Health information (e.g., insurance, medical condition, appointment details, or general patient data)

The Cybersecurity Perspective on the Issue

If the companies and organizations that use these technologies on their websites do not readily review and update the JavaScript files that support the tracking technologies, there could be an even greater cybersecurity threat. From this perspective, third-party library risks are applicable to the source code that supports the tracking technologies. If the third-party code that supports the tracking technologies is compromised or edited by malicious actors, it may be possible to inject malicious code onto the website and/or send data to third parties other than the intended recipient.

Patient data sent to a third party. A patient presented a claim that after her medical information had been sent to Facebook's parent company, Meta, she then received targeted ads relating to her heart and knee conditions. A similar suit claims at least 664 healthcare providers have sent medical data to Meta via third-party tracking technology.

But the spotlight on this issue extends beyond the courtroom and statehouses across the country, all the way to Capitol Hill. Senator Mark Warner (D-VA) has been a leader on this issue in Congress. 

Impacts beyond the healthcare industry

Within its post, “Second, the FTC highlighted the lack of clarity about how data was collected and later stored. The FTC was alarmed about how covert some third-party companies are in how they store data, the commission noted that, in some cases, these third-party companies may not know the entirety of the information collected from the data.

The Bottom Line

How can Fortalice help?

By using a three-phased approach, Fortalice provides an analysis of tracking technologies to determine transmitted data and will create an inventory of tracking technologies (including legacy and/or hardcoded tags). Our Application Security team can verify the removal of trackers from various applications and provide continuous validation support as third-party trackers or solutions are introduced or re-introduced.

Fortalice stands ready to provide additional support not related to third-party tracking technologies to help fortify an organization's security posture. For additional information on Fortalice Solutions service offerings, contact the team via email at watchmen@fortalicesolutions.com

HHS Office of Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information: Federal Trade Commission Report: Lurking Behind the Surface: Hidden Impacts of Pixel Tracking: Senator Mark Warner's October 2022 Letter to Mark Zuckerberg: Health Affairs: Widespread Third-Party Tracking on Hospital Websites poses Privacy Risk for Patients and Legal Liability for Hospitals: