In August 2022, Fortalice Solutions (Fortalice) released a white paper, The Privacy Pitfalls and Security Dangers of Internet Trackers, which details the privacy concerns surrounding an organization’s use of internet trackers. Later that year, on December 1, 2022, the U.S. Department of Health and Human Serivces's (HHS) Office of Civil Rights (OCR), released a bulletin addressing the usage of third-party tracking technologies by healthcare entities. Per the OCR, some regulated entities regularly share electronic protected health information (PHI) with online tracking technology vendors, and some may be doing so in a manner that violates Health Insurance Portability and Accountability Act (HIPAA) rules. The HIPAA Rules are violated when the information regulated entities collect or disclose through tracking technologies includes the impermissible disclosure of PHI. For the last 10 months, Fortalice has completed more than 40 investigations related to third-party tracking technologies in the healthcare field. To that end, the Fortalice team has provided the following update based on our own learnings and the findings from the OCR bulletin.
In its December bulletin, the OCR restated that “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” While, broadly speaking, this is likely not a new concept for most regulated entities, but the idea of “individually identifiable health information” (IIHI), which includes demographic information related to a patient seeking or receiving health care may be a new or misunderstood concept for many in the field.
Note: PHI is a subset of IIHI. Some examples of IIHI are a medical record number, home or email address, dates of appointments, medical insurance IDs, medical device IDs as well as an individual’s IP address or geographic location. Given that IP address is a fundamental part of how internet traffic works and is sent each time a user visits a new webpage, this has been where most of the debate has been. Specifically, because the IP address can be used to determine an individual’s general location.
IP address is a unique number that identifies where to send requests and where to send responses. Website owners cannot dictate or configure the sending of an IP address as it is part of how internet communications work. An IP address is the return address for communications between the user’s browser and the server that runs the websites. During an investigation, law enforcement will contact an internet service provider (ISP) to track down the location of the IP address. Without help from the ISP, it is still possible to get a rough, though far less precise, location associated with the IP address. Given that an IP address coupled with one additional identifier is considered a HIPAA violation, regulated entities are now faced with the unpalatable decision to turn off and remove all tracking technologies for their domains and subdomains if they have not signed a Business Associate Agreement (BAA) with the tracking technology vendor or, in cases where there is no BAA, the patient has not provided consent.
Third-party tracking technologies may violate privacy by sending patient or consumer sensitive data to third parties when there is no medical or business reason to do so. From a privacy perspective, different types of trackers may, unintentionally or unbeknownst to the teams that implement them, capture sensitive information, and transmit the sensitive data to a third party. Specifically, this information may include personally identifiable information (PII) and/or protected health information (PHI), such as:
When an impermissible disclosure of PHI to a tracking technology vendor occurs (resulting in a HIPPA violation), organizations are required to provide breach notification to the affected individuals, the Secretary of Health and Human Services, and the media (when applicable). In this case, there is a presumption that there has been a breach of unsecured PHI unless the regulated entity can demonstrate that there is a low probability that the PHI has been compromised. The cost of HIPAA violations is significant. Since the compliance date of the Privacy Rule in April 2003, OCR has received over 322,579 HIPAA complaints and has initiated over 1,160 compliance reviews. To date, OCR settled or imposed a civil money penalty in 130 cases resulting in a total dollar amount of $134,828,772.00.
A leak of PHI can threaten an individual’s privacy and security. From a security standpoint, an impermissible disclosure of PHI may result in identity theft, financial loss, discrimination, stigma, mental anguish, or other serious negative consequences to the reputation, health, or physical safety of the individual or to others identified in the individual’s PHI. This type of disclosure can reveal sensitive information about an individual, including diagnoses, frequency of visits to health care professionals, and where an individual seeks medical treatment according to the OCR bulletin. Moreover, a malicious actor can leverage that same data for use in social engineering campaigns, such as phishing or smishing attacks.
If the companies and organizations that use these technologies on their websites do not readily review and update the JavaScript files that support the tracking technologies, there could be an even greater cybersecurity threat. From this perspective, third-party library risks are applicable to the source code that supports the tracking technologies. If the third-party code that supports the tracking technologies is compromised or edited by malicious actors, it may be possible to inject malicious code onto the website and/or send data to third parties other than the intended recipient.
A recent study conducted by the heath policy journal, Health Affairs, found 98 percent of hospital websites had third-party tracking technology present, potentially sending patient information to third-party entities like social media companies or large technology companies. The impacts of third-party tracking technology are not limited to the healthcare industry, however. In fact, there has been a recent uptick in litigation due to the widespread misuse of data sent to tracking technology vendors, and the organizations named in the lawsuits extend beyond the healthcare space. Online retailers and news outlets that stream videos have also been impacted. Litigation and class-action lawsuits provide insight into how an individual’s privacy may have been violated because of third-party tracking technologies. Some notable examples include:
From coast to coast, State Attorneys General are also tackling this issue. The most notable action resulted in the largest multi-state privacy settlement in U.S. history. In a lawsuit led by Oregon and Nebraska, Google agreed to pay $392 million to 40 states in a settlement after violating state consumer protection laws about location tracking policies. The settlement also required Google to be more transparent with consumers and limits Google’s use and storage of certain types of location information.
In Washington State earlier this month, the Washington legislature passed the “My Health, My Data Act” where it awaits the governor’s expected signature. The bill, promoted by Washington Attorney General Bob Ferguson, would be enforceable under the state’s Consumer Protection Act. The act “applies to basically everyone doing business in Washington, not just healthcare providers,” said Ari Friedman, a physician at the University of Pennsylvania who researches digital health privacy.
But the spotlight on this issue extends beyond the courtroom and statehouses across the country, all the way to Capitol Hill. Senator Mark Warner (D-VA) has been a leader on this issue in Congress. In an October 2022 letter from Senator Warner to Meta CEO, Mark Zuckerberg, he expressed concern and requested more information from Meta regarding its collection of user health information through the Meta Pixel. Senator Warner has introduced bipartisan legislation with Senator Josh Hawley (R-MO) requiring social media companies to disclose how they monetize user data (DASHBOARD Act). Additionally, a bipartisan, bicameral group of lawmakers have introduced legislation, the DETOUR Act, to prohibit large online platforms from using deceptive user interfaces to trick consumers into handing over their personal data. Finally, in 2021, a group of lawmakers introduced the Public Health Emergency Privacy Act to implement strong and enforceable privacy and data security rights for health information.
As noted above, privacy concerns related to internet trackers are not limited to the healthcare industry. Outside of the healthcare and mental healthcare spaces, banks and financial institutions could be the next industry to be affected by this issue. Some experts have suggested that the collection and sharing of personal data could be in violation of the Gramm-Leach-Bliley Act and by applying recent rulings from the Consumer Financial Protection Board (CFPB). Quite frankly, any organizations and companies that operate in regulated environments will likely be the next focus of inquiries and possible litigation around this issue. Frankly, any organization with a website may present certain challenges and considerations that require proactive management and attention to ensure they are protecting consumer data.
Within its post, “Lurking Beneath the Surface: Hidden Impacts of Pixel Tracking,” the FTC identified three primary concerns. First, widespread usage of “invisible” internet trackers collecting and sharing information that consumers cannot avoid or turn off. This concern specifically arose from the FTC investigation of GoodRx for sharing sensitive health information for advertising. Soon after, BetterHelp was required to pay $7.8 million for revealing consumer data, including sensitive mental health data.
Second, the FTC highlighted the lack of clarity about how data was collected and later stored. The FTC was alarmed about how covert some third-party companies are in how they store data, the commission noted that, in some cases, these third-party companies may not know the entirety of the information collected from the data.
Finally, the FTC expressed concern that some pixel tracking methods did not effectively remove personal information. In fact, in some cases, the personal information, such as an email address or name was hashed; however, the FTC noted that this was inadequate to protect data because hashes are able to be reversed or can be linked across different databases.
If you have a website, you may have a problem. It is crucial for all organizations and industries to gain an understanding of third-party internet trackers and how their own websites use them. By doing so, organizations can effectively safeguard consumer privacy, prevent costly lawsuits, and protect their reputation. Finally, organizations in regulated industries, such as healthcare and financial services, can protect themselves from regulatory fines and/or penalties by having a better understanding of the way third-party internet trackers operate on their websites.
Regulated organizations must now address the use of third-party tracking technologies within their annual risk and security assessments. Healthcare organizations should also ensure BAAs are in place with a tracking technology vendor that meets the definition of a “business associate” and conducts regular validation of tracking technologies. Additionally, Fortalice can provide technical assistance to organizations needing or wanting to gain an understanding of the current third-party tracking landscape within their application environment.
By using a three-phased approach, Fortalice provides an analysis of tracking technologies to determine transmitted data and will create an inventory of tracking technologies (including legacy and/or hardcoded tags). Our Application Security team can verify the removal of trackers from various applications and provide continuous validation support as third-party trackers or solutions are introduced or re-introduced.
Fortalice never leaves our clients to fend for themselves, which is our team offers a roadmap of solutions and additional advisory support following the initial assessment and investigation. Our advisory support may include training, advising, and drafting a playbook for our clients to independently review their own applications for internet trackers and tracking data security concerns in the future.
Fortalice stands ready to provide additional support not related to third-party tracking technologies to help fortify an organization’s security posture. For additional information on Fortalice Solutions service offerings, contact the team via email at watchmen@fortalicesolutions.com.
HHS Office of Civil Rights Issues Bulletin on Requirements under HIPAA for Online Tracking Technologies to Protect the Privacy and Security of Health Information: https://www.hhs.gov/about/news/2022/12/01/hhs-office-for-civil-rights-issues-bulletin-on-requirements-under-hipaa-for-online-tracking-technologies.html
Federal Trade Commission Report: Lurking Behind the Surface: Hidden Impacts of Pixel Tracking: https://www.ftc.gov/policy/advocacy-research/tech-at-ftc/2023/03/lurking-beneath-surface-hidden-impacts-pixel-tracking
Senator Mark Warner’s October 2022 Letter to Mark Zuckerberg: https://www.warner.senate.gov/public/index.cfm/2022/10/warner-expresses-concern-over-meta-s-collection-of-sensitive-health-information
Health Affairs: Widespread Third-Party Tracking on Hospital Websites poses Privacy Risk for Patients and Legal Liability for Hospitals: https://www.healthaffairs.org/doi/abs/10.1377/hlthaff.2022.01205?journalCode=hlthaff
US: 877.487.8160
watchmen@fortalicesolutions.com
EMEA: 0800.824.7030
emea@fortalicesolutions.co.uk
