A new cyber risk for healthcare organizations is emerging internally from unsuspecting marketing departments, as insurers report increased claims from website tracking tools.
Pixels are a newer way for websites to track users’ interactions and are so popular that most websites now use them. Unlike cookies, which are tied to a user’s browser, tracking pixels are triggered when a webpage loads and sends information directly to a web server.
The data that pixels can collect offers enormous potential for improving targeted marketing campaigns and increasing a company’s understanding of its customers.
According to insurer Beazley, the focus of a lot of recent litigation is the Meta pixel which collects user data and then shares it with Facebook and Instagram. This is a big problem for U.S. healthcare companies.
Healthcare organizations using pixels may be sharing Protected Health Information (PHI) with third parties without patient consent to Facebook and other advertisers.
This issue is critical if pixels are on patient portals. However, PHI can be collected when pixels are just on forward-facing public websites. Even when such sharing is accidental, it can lead to significant liability under HIPAA, state laws, and common law torts.
In June 2022, news nonprofit The Markup published an article warning that they had found that 33 of the top 100 hospitals were using pixels on their websites.
Since that article was published, more than 30 class action lawsuits have been filed against hospitals, according to Beazley. The suits allege various state statutory, contract, and tort claims based on the alleged sharing of PHI without patient consent.
Beazley reports most of the class actions are surviving motions to dismiss. And as of December 2022, only one hospital had settled its class action for around $18 million.
The business insurer anticipates the number of lawsuits will continue to grow and that the cost to defend and settle will be significant.
Beazley recommends that organizations adopt an enterprise view of risk and compliance, especially when engaging with customers in the digital space.
Legal and risk teams need to work with marketing to learn what technology they are using and how they collect, use, and retain data for targeted advertising.
If you are not sure whether a website is using pixels, you can use a search tool found here: https://themarkup.org/
After better understanding your risk, organizations should talk with their insurance brokers to understand what, if any, coverage limitations or gaps exist.
Chivaroli and Associates Insurance Services is a full-service brokerage firm specializing in the custom-design and placement of insurance and alternative risk funding solutions for your healthcare organization.