SUMMARY: Healthcare organizations must exercise greater caution when configuring and using the Meta Pixel and other website tracking technologies, or risk raising their cyber liability exposure.
- The Meta Pixel can send patients’ protected health information (PHI) to Facebook, which may constitute a violation of HIPAA regulations.
- Recent court decisions finding that data transmission via pixel tools violates state wiretapping laws have sparked a surge of class action litigation against healthcare organizations.
- Healthcare organizations and their insurers can take practical steps to mitigate the liability risk of using the Meta Pixel.
In August 2022, Novant Health, a major U.S. mid-Atlantic healthcare network, made public a significant “possible disclosure of protected health information (PHI).” Novant notified 1.3 million patients that this incident may have affected their data.
Unlike some high-profile data breaches, this breach didn’t happen because hackers deployed ransomware or sent phishing emails to trick authorized users into giving up login credentials. It occurred because Novant improperly configured its Meta Pixel, the tracking technology it uses on its own websites.
Increasingly, Meta Pixel healthcare incidents are drawing increased attention. Meta’s website tracking tool, used by its Facebook and Instagram platforms, offers advantages to healthcare organizations. But it can also expose them to higher levels of cyber liability.
What is the Meta Pixel?
Formerly known as “the Facebook Pixel,” the Meta Pixel is, like other tracking pixels, a unique snippet of code embedded on a website. The pixel records users’ presence and activity on the site. It collects information “in the background” including users’ IP addresses, pages viewed, buttons clicked, and text entered.
The data the pixel tool collects gives website owners valuable opportunities to identify trends, optimize user experience, refine targeted marketing, and better understand site visitors.
Healthcare organizations, no less than others, see the potential in analyzing metrics from visits to their public-facing websites. The packet of data the Meta Pixel sends to Facebook helps them do so. Facebook will show those organizations’ advertising and other content to what the gathered and shared data suggest will be appropriate, responsive audiences.
What Makes the Meta Pixel Risky for Healthcare Organizations?
In June 2022, investigative journalism website The Markup reported it found the Meta Pixel on websites of 33 of the top 100 hospitals in the United States. It also found the pixel installed inside seven health systems’ password-protected patient portals.
The Meta Pixel was sending sensitive information about patients’ personal health and medical conditions to Facebook without patients’ knowledge or consent. Details about patients’ diagnoses, prescriptions, appointments, and more were being transmitted.
The HIPAA Privacy Rule exists to safeguard such protected health information (PHI). Covered entities such as these hospitals must comply with its standards. Yet former regulators, health data security experts, and privacy advocates said these hospitals’ use of the Meta Pixel may constitute HIPAA violations.
The Department of Health and Human Services (HHS)’ Office for Civil Rights (OCR) has issued guidance for covered entities using website tracking tools. It states, “Regulated entities are not permitted to use tracking technologies in a manner that would result in impermissible disclosures of PHI to tracking technology vendors or any other violations of the HIPAA Rules.” The OCR specifically cited “disclosures of PHI to tracking technology vendors for marketing purposes, without individuals’ HIPAA-compliant authorizations” as one example of a violation.
How Extensive Is the Meta Pixel Healthcare Problem?
Naturally, health systems, hospitals, and other organizations don’t intend to put patients’ sensitive information at risk. In Novant’s case, for example, the Meta Pixel was allowing it to run Facebook advertisements about COVID-19 vaccinations in May 2020, and to measure those advertising campaigns’ performance.
Nevertheless, because Novant didn’t correctly configure the pixel tool on its site and its patients’ “MyChart” portals, it ended up sending patient PHI to Facebook. This sharing of healthcare data with a third party runs afoul of the HIPAA statute.
In addition, the data shared included not only PHI but also such personally identifiable information (PII) as email addresses, phone numbers, and emergency contact details. Like PHI, PII is protected under HIPAA.
Novant didn’t remove the Meta Pixel from its site and patient portals until May 2022, meaning the exposure lasted two full years. In that time, the misconfigured pixel transmitted sensitive information from 1,362,296 people to Facebook.
Novant isn’t the only system to suffer a Meta Pixel healthcare data breach. In August 2022, Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, notified some 3 million patients their data had been exposed.
“When patients used Advocate Aurora Health patient portals available through MyChart and LiveWell platforms,” an AAH statement explained, “as well some of our scheduling widgets, certain protected health information … would be disclosed in certain circumstances, particularly for users concurrently logged into their Facebook or Google accounts.”
As The Markup investigation into the Novant breach illustrates, once sensitive data is shared via pixel tool, it’s vulnerable to discovery by others—even in intimate detail about conditions ranging from allergic reactions to abortion. The possibility that actors could find this information and use it for criminal purposes looms large.
How Are Pixel Tool Data Breaches Playing Out in the Courts?
Only the U.S. government can sue under HIPAA. But in August 2022, the 3rd Circuit Court of Appeals held, in Popa v. Harriet Carter Gifts, Inc., that using pixel tools to send people’s product search history to Facebook for targeted advertising purposes could be considered an “interception” of a “communication,” violating Pennsylvania’s wiretapping law.
The 3rd Circuit’s ruling set the stage for a surge of class action lawsuits in several jurisdictions, including suits against healthcare entities using the Meta Pixel. And despite its claims that its filtering mechanisms prevent “sensitive health-related data … from being integrated into [its] ads ranking and optimization systems,” Meta, too, has found itself the object of multiple lawsuits.
As of mid-December 2022, only one hospital has settled its class action. Boston-based Mass General Brigham health system denied wrongdoing but agreed to pay $18 million. Clearly, the financial risk to healthcare organizations is major.
How Can Organizations and Insurers Mitigate the Risks?
Hospitals, health systems, and other HIPAA-covered entities—as well as the carriers who provide their Cyber Liability Insurance policies—can take practical steps to mitigate the risks of using pixels and other website tracking tools (for example, session replay and chatbots).
- Ensuring Proper Tool Configuration
Entities’ legal/compliance teams must coordinate with IT and data security teams to ensure pixels and other tracking technologies are properly set up to avoid violating domestic and international privacy laws. Working on these issues in silos will not serve the organization well. - Reviewing and Updating Privacy Policies
A comprehensive audit of both external and internal privacy policies, conducted by legal experts, should reveal any areas of concern to address before deploying tracking tools. Correctly crafting ways website users can understand and give their consent to having their data collected can help minimize liability. - Getting and Staying Up-to-Date With Privacy Regulations
In the United States and abroad, the legal landscape around allowable collection and use of individuals’ personal information has been changing rapidly. Regular reviews of the latest legislation, as well as such policies as the OCR guidance, are nonnegotiable. - Discussing Risk Levels and Coverage Limitations with Brokers
Organizations and insurers must have open, honest conversations about how the use of pixel tools and other tracking technologies will affect cyber risk. Insurers must not hesitate to ask insureds and potential insureds if they are using these technologies, and they must be forthcoming about their own risk appetite. Review contract and insurance-based risk transfer mechanisms, and update them as necessary.
Help Your Clients Mitigate Their Cyber Exposures with ProWriters
The rising number of cyber crimes makes Cyber Insurance coverage a must in today’s business landscape. Brokers can help businesses mitigate risks by offering Cyber Insurance policies that match their needs. At ProWriters, we are dedicated to helping you accomplish this endeavor.
ProWriters provides brokers with the best resources and tools to give you a competitive edge in the insurance market. Our proprietary Cyber IQ Comparative Rate Platform enables our partner brokers to generate Cyber Insurance quotes from leading carriers in minutes. Our brokers also enjoy the support of experts with decades of experience in the industry. Reach out today to learn more!