Third-party pixel use greatly increases healthcare data breach risk: study

Rutgers researchers encouraged hospitals to leverage homegrown, first-party tracking pixels to avoid healthcare data breaches, rather than relying on third-party pixels that can send sensitive user data to external vendors, according to a study they published in PNAS Nexus.

The researchers analyzed 12 years of website data from 1,201 hospitals and found that 66% of those hospitals used third-party tracking pixels. What's more, the hospitals that used them were 46% more likely to experience a data breach.

Third-party tracking pixels are snippets of code that send information like web analytics, marketing and patient engagement data to vendors. These pixels are widely accepted in fields such as social media and e-commerce, the study noted, but their use in healthcare raises nuanced data privacy and HIPAA compliance concerns.

A 2023 study published in Health Affairs found that nearly all U.S. nonfederal acute care hospital websites contained these tracking technologies. Over the past several years, these discoveries have led to a substantial number of healthcare data breach disclosures, largely among hospitals that did not initially realize that the tracking pixels were configured in a way that allowed sensitive information to be transmitted to external parties.

In addition to documented data breaches, the issue of third-party tracking pixels in healthcare has spurred dozens of lawsuits and regulatory challenges.

Using the Wayback Machine, the Rutgers researchers analyzed hospital website pixel use from 2012 to 2023, finding that hospitals using third-party tracking pixels were linked to a 13% increase in unintended disclosures -- the most likely breach type tied to pixel use.

"Once patient data are transmitted to external vendors, hospitals have limited oversight of how it is stored or shared, making them vulnerable to security lapses in third-party systems," the study stated.

"Cross-site tracking further heightens these risks, as third-party vendors can aggregate data from multiple websites, making it possible to reconstruct behavioral patterns and infer sensitive health details."

Despite the risks associated with third-party tracking pixels, just 14% of hospitals included in the study had implemented first-party pixels, which offer full control over data collection and shield hospitals from inadvertently disclosing sensitive information to third parties without a HIPAA business associate agreement.

"As with many technology decisions, hospitals often outsource due to limited internal resources and expertise," the study noted.

"First-party pixels, however, show no significant relationship with breaches, suggesting that external data transmission, rather than pixel technology itself, is the key risk factor."

Although resource constraints may stifle first-party pixel adoption, the benefits of keeping sensitive health data private are clear, potentially providing an incentive to implement this tech in a controlled environment rather than risk data breaches and reputational damage.

"Beyond compliance, pixel tracking raises broader ethical concerns about patient trust and transparency," the study added. "The unauthorized transmission of PHI to external vendors may undermine public confidence in healthcare institutions, exacerbating existing concerns over data privacy in the digital age. As regulatory scrutiny intensifies, hospitals will likely face mounting pressure to reassess their digital tracking strategies."

Jill Hughes has covered health tech news since 2021. Her coverage areas include cybersecurity, HIPAA compliance, interoperability, AI and EHRs.