Tracking the growth of healthcare data breaches

There is a worrying symptom of the healthcare industry’s universal adoption of electronic health record systems: the exposure of sensitive patient information through healthcare data breaches.

The benefits of making healthcare data more digitized, distributed, and mobile – including enhanced patient care, patient cooperation, improved disease diagnosis, practice efficiency, and consistently accessible information – are being eroded by a surge in the unauthorized transfer of sensitive data to third parties, or healthcare data breaches.

The IBM 2023 Cost of a Data Breach Report outlines some worrying healthcare data breach statistics:

• Healthcare experiences the highest data breach costs of all industries, increasing from $10.10 million in 2022 to $10.93 million in 2023 – an increase of 8.2%.

• The average cost of a data breach in healthcare has grown 53.3% since 2020, increasing more than $3 million compared to the average cost of $7.13 million three years ago.

• These data breach costs increased for the 13th consecutive year in 2023.

It’s a similar story the world over. In the UK, for example, nearly eight in 10 (79%) providers of frontline healthcare services have experienced at least one data breach since 2021. 

At the heart of this healthcare data breach epidemic is the pervasive use of third-party tracking software on websites. 

Healthcare data breaches: what is third-party tracking software?

Third-party tracking refers to snippets of code, present on multiple websites, that trace or assist in tracking the user’s visit to the site – usually without their explicit consent. They aim to monitor, collect, and send information about the user’s browsing history to third parties that can be leveraged for targeted advertising, analytics, or behavior profiling – but they are exposed to third-party attacks. 

In the context of healthcare, this software harvests information that can be used to identify areas for improvement, allocate resources more effectively, and enhance the patient experience. 

Three common types of web tracking software pervade healthcare systems, creating third-party threats:

• Pixels: Also known as a marketing pixel, this 1×1 pixel graphic is used to track user behavior, site conversions, web traffic, and other metrics – serving a similar purpose to a cookie. The tiny, often invisible pixel-sided image is embedded in everything from banner ads to emails.

• Script: A piece of code that monitors the flow of visitors to a website. The script comprises a string of numbers and letters that make up the code, which is embedded on the website that the organization wants to analyze.

• Tag: A piece of code that is added to a website URL to provide richer analytics about web traffic and user behavior. 

Data privacy 

The ubiquity of this third-party web tracking software in the US healthcare industry is laid bare by a recent study by the University of Pennsylvania. The research, which analyzed data from 2021, shows that almost 99% of hospital websites include web tracking software that leaks data to third parties, including software and social media companies, data brokers, advertisers, and private equity firms. 

Despite their benefits, the use of these tracking tools at almost every US hospital raises significant privacy concerns that healthcare providers are often unaware of. Not only do they monitor, collect, and send identifiable information about users – such as location data, browsing history, demographic data, and health information – to third parties; they do so without their knowledge or consent. 

Their widespread use allows third parties, like advertising giants Alphabet and Meta, that aren’t subject to the Health Insurance Portability and Accountability Act (HIPAA) – a federal law that sets national standards for the protection of individually identifiable health information – to gain access to sensitive health information and browsing behavior that patients might not want shared.

Known as patient profiling, this divisive practice forces healthcare providers to walk the regulatory line by allowing organizations that are not subject to privacy laws to browse people’s internet behavior, get access to sensitive health information, and potentially monetize it.

Healthcare providers that fail to comply with legislation governing access to patient data by using web tracking software negligently expose themselves to legal action – potentially resulting in financial penalties and reputational damage. 

Healthcare data security

The data harvested by web tracking software can be used for various nefarious purposes if it falls into the hands of a malicious actor, including phishing attacks and identity theft. For example, a malicious actor might use the information collected to create a targeted phishing email that appears to be from a legitimate source but contains a malicious link or attachment.

The software, which may not trigger security warnings or alerts due to its size, can also be exploited to bypass security measures such as ad-blockers and anti-virus software. Consequently, users may become vulnerable to malware and other threats without realizing it. 

It can even be used to violate users’ privacy and compromise their online security. For example, a piece of software could be embedded in a website to track the user’s location and movements or monitor their online activity in real-time – information that could be leveraged for malicious purposes like stalking, harassment, or blackmail.

According to the HIPAA Journal, which has compiled healthcare data breach statistics from October 2009, cyberattacks on US healthcare organizations accelerated in 2023, setting two records: the most reported data breaches (725) and the most breached records (more than 133 million) – with web tracking software responsible for some of the largest healthcare data breaches between 2009 and 2023.

How to prevent healthcare data breaches

Amid a surge in data breaches, healthcare providers must select third-party tracking tools that prioritize compliance with regulations like HIPAA in the US or GDPR (General Data Protection Regulation) in the European Union. This vital layer of security ensures patient information is secure, accessible only by authorized persons, and used only for authorized purposes.

With third-party regulatory compliance ensured following a robust vendor selection process, healthcare providers can concentrate on taking a proactive approach to implementing best practices for healthcare security, including: 

• Implement encryption: Ensure all data transmitted to and from third-party tracking tools is encrypted using secure protocols like HTTPS to prevent interception by unauthorized parties.

• Access control: Implement strict access controls to limit who can access and modify data within third-party tracking tools. Use strong authentication methods like multi-factor authentication (MFA) to secure access.

• Data minimization: Limit the amount of sensitive data shared with third-party tracking tools to only what is necessary for their function.

• Data Loss Prevention (DLP): Implement DLP solutions to prevent unauthorized data sharing or leakage through third-party tracking tools. This includes monitoring and blocking sensitive data transfers.

• Regular updates and patching: Keep third-party tracking tools aligned with the latest security patches and updates to address known vulnerabilities.

Tracking pixels

Underscoring the pernicious effects of deploying web tracking technology in healthcare without understanding its impact on data privacy and security is the deluge of legal cases associated with the use of tracking pixels: since August 2022, more than 50 lawsuits have been filed against health systems related to their use of tracking pixels. 

Notable healthcare data breaches

An example of this major theme of healthcare breach notifications in the US is the $6.6 million Novant Health privacy breach lawsuit.

This four-state integrated network of physician clinics, outpatient centers, and hospitals was the first healthcare provider to report a pixel-related HIPAA violation to the HHS Office for Civil Rights. The disclosure of protected health information of up to 1,362,296 individuals to third parties such as Meta (Facebook) between 01 May 2020 to 12 August 2022 stemmed from its use of tracking pixels on its MyChart patient portal.

The pixel code on MyChart gathered the personally identifiable information of users with the admirable intention of “improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care”. Unfortunately, the information was also transferred to unauthorized third-party tech companies that received the data illegally.

This pixel-related problem is mirrored in the UK, where it’s been revealed that NHS trusts are sharing details about patients’ medical conditions, appointments, and treatments with Facebook without consent, having promised not to.

An Observer investigation uncovered the Meta Pixel covert tracking tool in the websites of 20 NHS trusts which has collected browsing information and shared it with the tech giant for a sustained period – data that, when linked to an individual, could reveal personal medical details.

Be proactive

It is not just the number of data breaches that are increasing in the healthcare industry; their impact is becoming more severe – and cybercriminals aren’t always the culprits. 

The irresponsible use of third-party tracking software on healthcare websites exposes patients to another worrying threat: the impermissible transfer of their data to unauthorized third-party organizations without their consent. It also erodes webpage integrity in the process, and subsequently patient trust, making them less willing to use healthcare websites in the future.

The reactive approach to managing this threat is to remove all third-party web tracking software from a website after a data breach has occurred – but this doesn’t prevent the problem from happening again.

Instead, healthcare providers need visibility and control over third-party scripts, pixels, and tags that access patient information. This requires a proactive approach to risk management using an anti-fraud solution.  This empowers them to create an inventory of all third parties they share information with and evaluate their security and privacy practices. This way they’ll know who their digital vendors are, what they are doing, and where the data is being sent.