A few weeks ago we wrote about the “creepy, problematic, and potentially illegal” problems associated with web tracker security—in particular, the security risks of Facebook’s Meta Pixel, its ability to collect and use sensitive healthcare data, and the risks of hospital privacy lawsuits. It seems those creepy and illegal problems have come home to roost, with news this week that plaintiffs have filed a class action lawsuit in the Northern District of California against three entities: Meta (Facebook) and two healthcare facilities (the University of California San Francisco (UCSF) Medical Center and the Dignity Health Medical Foundation). The lawsuit alleges that Facebook and the hospitals are engaged in data privacy violations by unlawfully collecting sensitive patient healthcare data and using it for targeted advertising.
The plaintiffs in the lawsuit claim that neither the hospitals nor Meta (Facebook) alert patients to the fact that their sensitive health information is being collected and used for advertising or provide user consents for such purposes. The data being collected and used for target advertising include sensitive patient information, such as health conditions, doctors, medication, IP address, and other data. Patients claim that the hospitals and Facebook violated their privacy when Facebook began targeting them with advertisements specifically related to their medical conditions.
HIPAA and Web Tracker Security
While many in the cybersecurity industry (including Feroot) have been reminding businesses for a while that improperly placed web trackers have the potential to cause a host of problems, including compliance and regulatory violations, a recent study by The Markup highlighted those risks for a broader audience. In its study, The Markup looked at Newsweek’s top 100 hospitals in America. On one-third of the websites, Markup researchers found a Facebook tracker, called the Meta Pixel, sending Facebook highly personal healthcare data whenever the user clicked the “schedule appointment” button. Because the data is connected to an IP address, the IP address and the appointment information gets delivered to Facebook.
Within the Meta Pixel data packets, the user’s IP address can be used in combination with other user data to identify the individual or household. The Healthcare Insurance Portability and Accountability Act (HIPAA) lists “IP address” as one of the identifiers (along with things like name and address) that when linked to information about a person’s health condition, qualifies as protected health information (PHI).
Researchers in the study by The Markup consulted health data security experts, former health regulators, and privacy advocates, all of whom believed that the hospitals in question likely violated HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information (known as PHI) from being disclosed without the individual patient’s consent or knowledge. According to regulations, PHI may only be shared when the patient has provided advance consent or under the terms of certain contracts.
Why Meta Pixel and Other Trackers Are Data Security Risks
Because web trackers involve code embedded in the front end or client side of a website, there are significant JavaScript security concerns. Trackers embedded in inappropriate locations—near patient health or financial forms or near credentials and logins—can leak sensitive data, placing businesses at risk of lawsuits, non-compliance with regulations and standards, and having highly sensitive customer information fall into the wrong hands.
A recent study conducted by several researchers from Radboud University and the University of Lausanne found that thousands of websites among the world’s top 100,000 were leaking information entered into site forms. This information included “personal identifiers, email addresses, usernames, passwords, or even messages entered into forms and then deleted and never actually submitted.”
In addition to HIPAA, regulatory concerns include the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and others. Penalties for compliance violations include fines and reputation damage.
What is a Meta Pixel?
Meta Pixel is a type of web tracker created by Facebook and used to track users’ online activity, as they navigate a website or as part of web browser activities. The code included in the tracker captures the buttons the user clicks, the information they type into forms, and the pages on the site they visit. Web trackers take up very little code space (in the case of Meta Pixel, just one pixel, hence the name), so they’re difficult for application security professionals to spot and discover during code reviews. According to the lawsuit, Meta Pixel is embedded “on millions of websites, including 30% of the top 80,000 most popular sites.”
Meta Pixel isn’t the only big web tracker out there. Many companies use trackers for targeted ads and social media, including Twitter, Google, Facebook, Amazon, AppNexus, and ComScore. Other types of web trackers include cookies, web beacons, fingerprinters (browser fingerprinting), super cookies, embedded scripts, and cross-site trackers. While many trackers are used just for advertising purposes, others are used to track behavior and user analytics.
In the case of most trackers including Meta Pixel, even if the end user doesn’t have an account with the entity that owns the pixel/tracker (e.g., Facebook), the end user’s information is still collected and sent to the pixel’s owner. And sensitive information filtering tools have proven to be ineffective. According to a 2021 leaked statement from a Facebook engineer, “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’”
Web Tracker Security: What Should You Do?
To improve the security associated with web trackers, businesses should use a client-side attack surface monitoring solution to avoid the time and problems associated with manual code reviews. A purpose-built solution that automates the process can be a fast and easy way to identify unauthorized script activity. In addition, an automated content security policy (CSP) tool can help businesses better manage policies and any vulnerabilities within the policies on their web applications.
