Governance & Risk Management , Healthcare , HIPAA/HITECH
Clinic Reports Tracking Pixel Breach Involving 3rd PartyLatest Health Provider to Treat Use of Online Trackers as Reportable HIPAA Breach
Newfound unease by clinicians over advertising-driven surveillance is causing a Midwest specialty medical care clinic to treat patient exposure to online tracking pixels as a data breach reportable to federal regulators.
See Also: Webinar | How the SASE Architecture Enables Remote Work
BayCare Clinic in Wisconsin earlier this month told the U.S. Department of Health and Human Services that 134,000 of its patients are affected by the deployment of online tracking technology by a partner that provided its electronic medical record system.
The clinic is at least the fourth major health provider to treat patient exposure to online behavior trackers as a reportable HIPAA breach. The department in December warned healthcare entities that commercial web traffic trackers offered by companies such as Google and Facebook could violate patient privacy law when embedded into patient portals (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
Concerns over the use of tracking pixels in the healthcare industry exploded over the last year, especially after the Supreme Court's decision last June to overturn Roe v. Wade, the five-decade judicial precedent that guaranteed nationwide access to abortion. Reproductive health and privacy experts warned that law enforcement may attempt to collect information about abortions through digital footprints.
BayCare says the trackers potentially sent tech companies patient information including the dates, times and locations of scheduled appointments; the type of appointment or procedure; patients' proximity to a practice location; and insurance information.
BayCare describes itself as "the largest physician-owned specialty-care clinic in northeastern Wisconsin and Michigan’s Upper Peninsula.," It has more than 20 specialties and more than 100 physicians serving in 16 area communities.
Clinic patients' exposure to trackers stems from BayCare's use of websites supported by the Advocate Aurora Health system, the clinic says in a notice.
Advocate Aurora Health is among the entities that reported their use of online trackers from Google and Facebook to HHS as a breach. It says 3 million individuals are affected.
The company has removed or disabled the tracking codes from its websites and portals, BayCare says in its notification statement.
Meta - the parent of Facebook - faces a proposed class action lawsuit in San Francisco federal court for alleged health privacy violations through its tracking technology (see: Facebook Slapped with Another Health Data Privacy Lawsuit).
Judge William H. Orrick of the Northern District of California gave plaintiffs a Feb. 21 deadline to file for an amended consolidated complaint.
A study last year by data privacy firm Lokker found that around 2,500 hospitals and healthcare provider websites use Facebook Pixel, Google and similar tracking tools (see: Online Tracking Tools Provoke Patient Privacy Concerns).