Data Breach Lawsuits Tied to Tracking Pixel Use On the Rise In Healthcare

April 27, 2023 - As data breach notifications tied to the use of tracking pixels continue to surface, experts have observed a wave of lawsuits following close behind. BakerHostetler observed more than 50 lawsuits being filed against hospital systems related to third-party tracking tech since August 2022, according to the firm’s 2023 Data Security Incident Response Report (DSIR).

The DSIR was based on BakerHostetler’s analysis of the more than 1,160 incidents that its Digital Assets and Data Management Practice Group helped clients manage in 2022.

“The Dobbs decision coincided with the publication of an investigative report about the use of advertising technology on hospital websites. Several regulators scrambled to give consumers, health apps, and HIPAA-covered entities admonishments and guidance on the risks and limitations surrounding the use of this type of technology,” the report stated.

“Simultaneously, a deluge of class actions was filed, alleging various causes of action stemming from the use of this technology. For many healthcare entities, 2022 will be remembered as ‘The Year of the Pixel.’”

As previously reported, numerous healthcare entities have reported major breaches tied to their use of tracking pixels. The breach notices commonly state that the healthcare entity had implemented the technology to understand how visitors interact with their websites, but later discovered that the tech had been inappropriately transmitting sensitive data back to big tech companies such as Meta and Google.

A recent study published in Health Affairs found third-party tracking technologies on 98.6 percent of all US nonfederal acute care hospital websites. The dozens of lawsuits filed in the wake of pixel-related breach notifications show that both consumers and regulators are taking note of this trend.

“The focus on website technologies and health-related information is likely to continue in 2023 and beyond,” BakerHostetler stated.

“Entities should ensure a strong corporate governance process and collaborative approach between marketing and compliance departments, an in-depth understanding of the use of this technology, and a thorough assessment of the risks and benefits conferred on the entity to determine whether continued use is appropriate.”

BakerHostetler is currently defending more than 200 privacy or data security lawsuits, a quarter of which are related to pixels.

Overarching Healthcare Data Breach Lawsuit Trends

Beyond just pixel-related lawsuits, BakerHostetler noted a twofold increase in lawsuits year-over-year across all industries it represents. High-profile data breaches are bound to attract legal interest, but consumers and lawyers have also taken interest in smaller breaches.

Based on BakerHostetler’s analysis of the more than 1,160 incidents that the firm helped clients manage in 2022, 42 of the incidents resulted in one or more lawsuits filed, compared to 23 in 2021. Of the 42 incidents, 26 involved health information, and 20 involved a healthcare organization.

BakerHostetler observed cases in which threat actors used MFA bombing, social engineering, SEO poisoning, and evading endpoint detection and response (EDR) to target victims.

From a regulatory standpoint, four states enacted privacy legislation in 2022, opening organizations up to new compliance obligations. What’s more, the Federal Trade Commission (FTC) has taken an increased interest in health tech companies.

In February and March 2023, the FTC announced two high-profile settlements with GoodRx and BetterHelp for $1.5 million and $7.8 million, respectively.

“In both cases, the FTC challenged health entities sharing consumer health data with third parties for advertising purposes. After several quiet years in the health technology industry, the sudden uptick in the FTC’s activity is likely due to the perfect storm of a post-Dobbs era, where online activity could be used against consumers, and the throng of health-tech startups coming to market in the last few years, driven, at least in part, by needs newly identified during COVID,” the report explained.

“Non-HIPAA-regulated entities need to take a very close look at their privacy policies, ensure that all third-party sharing is adequately described, and ensure that they are obtaining express consent from consumers for any sharing of health information, particularly if the sharing is related to advertising.”

As data privacy laws continue to expand across the country, HIPAA-covered entities and non-HIPAA-covered entities will need to adjust their compliance programs to adapt to new regulations and evolving technologies.