Cleo File Transfer Alert | December 2024
Cleo customers could be at risk due to a critical security flaw. Here's what you need to know.
A 1x1 graphic (about the size of a grain of sand) embedded on your screen goes unseen as you catch up on the news, online shop, or browse recipes for dinner inspiration. Powered by a bit of Javascript code, a tracking pixel — found on 30% of the web’s 100,000 most popular destinations — is responsible for the targeted, flashy banner advertisement that’s followed you across your entire digital to-do list.
Controversial usage of pixel technology has brought it into the spotlight, recently necessitating a breach notification to 3 million patients at 26 hospitals throughout the Chicago area. The problem at hand? Personal information and sensitive data are (arguably) being provided to third-party vendors, like Meta and Google, resulting in both regulatory violations and data privacy suits.
Recent guidance from the U.S. Department of Health and Human Services Office for Civil Rights (OCR) even states: “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of [Protected Health Information (PHI)] to tracking technology vendors or any other violations of the HIPAA Rules.”
Many of us are guilty of clicking “Accept Cookies” as quickly as possible to clear a mildly obtrusive website pop-up (we can thank privacy regulations and Acts, like the GDPR and CCPA, for giving us the option to do so). These small files are used by web servers for data collection to improve your browsing experience by storing username and passwords, online shopping carts, and other types of data related to your digital footprint. They also provide information to marketers so they can advertise more products and services they think you want.
In the past, companies could only identify you by the ID passed along to your browser from first or third-party cookies. With the introduction of pixel tracking technology, it gets a little more complicated. A company’s first party data is shared with third-party vendors, where they create interest-based user profiles that benefit advertisers looking to run targeted campaigns using customer data. These vendors, like Google and Facebook, are now getting a more comprehensive understanding of who you are and what you’re doing through your entire browsing journey.
While this may help market to niche audiences and data subjects, it also presents a plethora of privacy problems. For example, the Meta pixel knows your name, and other Personally Identifiable Information (PII), based on matching your digital ID to your Facebook or Instagram account. No profile? No worries; it’s standard practice for Meta to receive a bundle of data linked directly to your IP address.
LinkedIn and the latest social media behemoth, TikTok, are also driving the pixel tracking phenomenon. Data transmitted back to TikTok, for example, includes IP addresses, your clicks, and what you search. With no clear path for “opting out,” it’s no surprise your targeted ads really seem to get you.
Aside from just the obvious privacy concerns, tracking pixels have been found in places where they shouldn’t be, like password-protected patient portals. That’s why Community Health Network — an Indiana-based healthcare system — recently notified 1.5 million individuals of a data breach. This is a potential violation of HIPAA, the federal law responsible for protecting personal health information, and it’s not an isolated incident. One-third of the top 100 hospitals in the United States sent patient data to a third-party media platform. According to The Markup, data sent to hospitals included full names, descriptions of allergic reactions, and medication details. Search terms, like “pregnancy termination” and “Alzheimer’s,” were also sent as relevant information by pixel.
OCR has already opened investigations for the Community Health Network and Advocate Aurora Health data breach notifications.
On December 1, 2022, the OCR released guidance to regulated entities on the proper use of tracking technologies, advising they shouldn’t be used “in a manner that would result in impermissible disclosures of ePHI to tracking technology vendors or any other violations of the HIPAA Rules.”
According to the OCR, identifying use of tracking technology in a website or app’s privacy policy is not enough. Healthcare entities must also have a business associate agreement (BAA) in place with the tracking technology vendor. In addition, entities must provide breach notification to affected individuals of an impermissible disclosure of PHI to a tracking technology vendor when there was no permission to disclose PHI and no BAA with the vendor. OCR stated there is a presumption of a breach unless the entity can demonstrate a low probability that the PHI has been compromised.
Over the past six months, a growing number of privacy class actions have hit Meta (as well as companies and healthcare entities using tracking technology), claiming that pixel is improperly collecting sensitive patient information without proper disclosure to patients. Earlier this year, Boston-based Mass General Brigham agreed to pay $18 million to settle a class action suit over their use of tracking tools (including Meta pixel), but denied any wrongdoing. Facebook argues that sensitive information is filtered out from their data and not used for marketing purposes, but several class action suits specifically reference advertisements targeted to the plaintiffs’ medical conditions.
While the potential collection of healthcare data by tracking technology vendors without consent and BAAs is understandably the leading story related to pixel tracking, all industries should be mindful of how they approach the use of this technology in regard to data privacy compliance. Since February, 47 proposed class actions allege that Meta pixel sent video consumption data from online platforms to Facebook without user consent, in violation of the Video Privacy Protection Act. Five states—California, Colorado, Connecticut, Utah, and Virginia—have enacted comprehensive consumer data security and privacy laws, and more state legislatures are expected to follow suit. Companies with an international footprint must also be mindful of the General Data Protection Regulation (GDPR) in Europe.
Organizations should review their websites for code relating to tracking technologies and determine if the technology is even being used from a marketing standpoint. If it’s not being used, remove the code while keeping in mind the following:
If your organization determines that use of tracking technologies is beneficial from a marketing standpoint, evaluate whether the benefits outweigh the regulatory or litigation risks (which could be the case for some industries). If the benefits of use outweigh the potential for liability, then we recommend a thoughtful approach to its usage (see recommendations below from Fortalice).
If your organization is a HIPAA-covered entity or business associate, even if you derive some benefit from using this technology, strongly consider removing tracking technology code if you cannot obtain a BAA with the vendor. The risks of use without a BAA likely outweigh any benefit to your organization.
We believe in a proactive approach throughout the entire policy period. With our non-invasive Corvus Scan, we’re able to view an organization’s public-facing web infrastructure, software vulnerabilities, and in this case, use of pixel tracking technology. Our Risk + Response team keeps a watchful eye on the evolving legal and regulatory landscape, so we promptly sent an advisory to all policyholders with websites utilizing pixel technology to provide next steps and guidance.
Any companies unsure of how best to proceed should start by consulting with privacy counsel. If you’re a Corvus policyholder, we can connect you for an initial free consultation.
This article and its contents are intended for general guidance and informational purposes only. This article is under no circumstances intended to be used or considered as specific insurance or information security advice.