The new and emerging state privacy laws have created a challenging patchwork of rules that require all organizations to implement new data privacy protections. This is particularly true for healthcare organizations, who continue to bear the cost of third parties misusing their patients’ and customers’ data.
There have been 11 class-action lawsuits filed in California alone this year so far and dozens more are pending. In addition to these lawsuits, both state and federal regulators are demanding greater privacy protections, either citing HIPAA directly, different state privacy laws, and the Department of Health and Human Services warning. Not only are these new enforcement actions accelerating, but old laws are also being brought to the fore in new ways, making all of us rethink how we build our websites. These include the Video Privacy Protection Act (VPPA) of 1988, and multiple state wiretapping laws.
Are more healthcare organizations at risk?
We took a closer look and found that many healthcare organization websites are at significant risk of web privacy violations. We analyzed 5,000 healthcare websites and found the presence of the following social media trackers, which have been the source of several lawsuits:
- Facebook on 40%,
- Microsoft on 13%
- Twitter on 8%
- Pinterest on 6%
- TikTok on 5%
- SnapChat on 3%
We also noticed a few standard practices driving up risk that we want to call out for healthcare providers:
Not all web pages on a website present the same level of privacy risk, and one risky page could still pose a big threat to an organization. Different web pages use different tools and therefore present different risks to the users that visit them. For example, contact pages and pages with appointment bookings or requests tend to present the riskiest data privacy threats because of the sensitive information they’re asking for in a form, especially when asking questions related to specific health symptoms. If trackers and pixels are allowed on those pages, the risk dramatically increases, both in terms of likelihood of an incident and cost.
To further illustrate this point, some organizations tailor the content on a page specifically enough that any page on the website could be considered sensitive. For example, an addiction treatment center we analyzed used multiple session recording tools and trackers on symptoms pages related to intake, putting the site at severe risk of a data privacy breach. In this case, the site didn’t have a consent banner either, but even if it did, the tracking behavior wouldn’t be tolerated. You can’t ask consumers to consent to breaking the law.
We recommend healthcare organizations change their perspective from consent to data protection. They should review their website for the use of social media pixels and tracking tools, especially the Meta pixel, which has been the source of so many recent lawsuits and regulatory actions (and which we found on 40% of the healthcare websites we investigated). We recommend removing these trackers and monitoring what sensitive health information is being collected on the website and where it’s going. This is an ongoing task for software, not a one and done exercise.