Governance & Risk Management , Healthcare , HIPAA/HITECH

Clinic Reports Tracking Pixel Breach Involving 3rd Party

Latest Health Provider to Treat Use of Online Trackers as Reportable HIPAA Breach
Clinic Reports Tracking Pixel Breach Involving 3rd Party
Aurora BayCare Medical Center (Image: BayCare Clinic)

Newfound unease by clinicians over advertising-driven surveillance is causing a Midwest specialty medical care clinic to treat patient exposure to online tracking pixels as a data breach reportable to federal regulators.

See Also: Using the Netskope HIPAA Mapping Guide

BayCare Clinic in Wisconsin earlier this month told the U.S. Department of Health and Human Services that 134,000 of its patients are affected by the deployment of online tracking technology by a partner that provided its electronic medical record system.

The clinic is at least the fourth major health provider to treat patient exposure to online behavior trackers as a reportable HIPAA breach. The department in December warned healthcare entities that commercial web traffic trackers offered by companies such as Google and Facebook could violate patient privacy law when embedded into patient portals (see: HHS: Web Trackers in Patient Portals Violate HIPAA).

Concerns over the use of tracking pixels in the healthcare industry exploded over the last year, especially after the Supreme Court's decision last June to overturn Roe v. Wade, the five-decade judicial precedent that guaranteed nationwide access to abortion. Reproductive health and privacy experts warned that law enforcement may attempt to collect information about abortions through digital footprints.

BayCare says the trackers potentially sent tech companies patient information including the dates, times and locations of scheduled appointments; the type of appointment or procedure; patients' proximity to a practice location; and insurance information.

BayCare describes itself as "the largest physician-owned specialty-care clinic in northeastern Wisconsin and Michigan’s Upper Peninsula.," It has more than 20 specialties and more than 100 physicians serving in 16 area communities.

Clinic patients' exposure to trackers stems from BayCare's use of websites supported by the Advocate Aurora Health system, the clinic says in a notice.

Advocate Aurora Health is among the entities that reported their use of online trackers from Google and Facebook to HHS as a breach. It says 3 million individuals are affected.

The company has removed or disabled the tracking codes from its websites and portals, BayCare says in its notification statement.

Meta - the parent of Facebook - faces a proposed class action lawsuit in San Francisco federal court for alleged health privacy violations through its tracking technology (see: Facebook Slapped with Another Health Data Privacy Lawsuit).

Judge William H. Orrick of the Northern District of California gave plaintiffs a Feb. 21 deadline to file for an amended consolidated complaint.

A study last year by data privacy firm Lokker found that around 2,500 hospitals and healthcare provider websites use Facebook Pixel, Google and similar tracking tools (see: Online Tracking Tools Provoke Patient Privacy Concerns).


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing databreachtoday.com, you agree to our use of cookies.