A “Creepy, Problematic, and Potentially illegal” Problem.
When it comes to security and healthcare, most patients expect, at the very least, doctor-patient confidentiality. If web trackers are embedded within the JavaScript on a healthcare website you expect full security. I mean, you shouldn’t have to worry about someone working at Facebook knowing your personal healthcare information, like the details of a doctor’s appointment, right?
Well…that might not be the case based on discoveries from a recent study conducted by The Markup, a nonprofit newsroom that investigates “how powerful institutions are using technology to change our society.”
The study looked at Newsweek’s top 100 hospitals in America. On one-third of the websites, researchers found a Facebook tracker, called the Meta Pixel, sending Facebook highly personal healthcare data whenever the user clicked the “schedule appointment” button. Because the data is connected to an IP address, the IP address and the appointment information gets delivered to Facebook.
So, Facebook Knows the Day and Time I Am Going to the Doctor. What’s the Big Deal?
Well, for starters, it’s not just the day and time being sent in trackers like these. In the case of this study, researchers found that web trackers sent Facebook the following information, depending on how the tracker was structured on the webpage:
- Doctor’s name
- Search term used to find the doctor’s name
- Health conditions selected from drop down menus (e.g., pregnancy or Alzheimers)
Researchers also discovered the Facebook Meta Pixel tracker installed inside password-protected patient portals. Data collection from the private patient portals included:
- Patient medication names
- Descriptions of allergic reactions
- Details about upcoming doctor’s appointments.
In addition, the Meta Pixel data packets include the user’s IP address that can be used, in combination with other user data, to identify the individual or household. The Healthcare Insurance Portability and Accountability Act (HIPAA) lists IP address as one of the identifiers (along with things like name and address) that when linked to information about a person’s health condition, qualifies as protected health information (PHI).
Web Trackers & Security: These Healthcare Providers Are Likely Violating HIPAA (with Facebook’s Help)
Experts in big data and healthcare describe the prevalence of web trackers capturing sensitive patient information as a “creepy, problematic, and potentially illegal” security problem. Researchers in this study consulted health data security experts, former health regulators, and privacy advocates, all of whom believed that the hospitals in question likely violated HIPAA.
The Health Insurance Portability and Accountability Act (HIPAA) protects sensitive health information (known as PHI) from being disclosed without the individual patient’s consent or knowledge. According to regulations, PHI may only be shared when the patient has provided advance consent or under the terms of certain contracts. It seems that neither the hospitals nor Facebook (Meta) had such contracts in place, suggesting that hospitals were releasing and Facebook was capturing this information without patient consent.
A spokesperson from Facebook’s parent company, Meta responded to the researchers with a brief email claiming that Meta’s systems are designed to filter potentially sensitive health information which may be submitted in error through the use of their business tools. However, an investigation in 2021 found that the Meta filtering system was “not yet operating with complete accuracy.” A subsequent investigation by researchers at The Markup discovered that Meta’s health information filtering system did not, in fact, block information related to health conditions and appointment types (e.g., pregnancy or Alzheimers).
Internal Facebook employees have been more candid about the efficacy of the company’s sensitive information filtering tools. According to a 2021 leaked statement from one Facebook engineer, “We do not have an adequate level of control and explainability over how our systems use data, and thus we can’t confidently make controlled policy changes or external commitments such as ‘we will not use X data for Y purpose.’”
What Are Web Trackers?
Web trackers, like ‘Meta Pixel,” use code to track users’ online activity, as they navigate a website or as part of web browser activities. Tracking includes the buttons the user clicks, the information they type into forms, and the pages on the site they visit.
It’s important to note that Meta Pixel isn’t the only web tracker out there. In addition to cookies, web beacons, fingerprinters (browser fingerprinting), super cookies, embedded scripts, and cross-site trackers are other types of web trackers. Many companies use trackers for targeted ads and social media, including Twitter, Google, Facebook, Amazon, AppNexus, and ComScore. While many trackers are used just for advertising purposes, others are used to track behavior and user analytics.
Web Trackers: a JavaScript Security Nightmare
Because web trackers involve code embedded in the front end or client side of a website, there are significant JavaScript security implications. Companies use web trackers to collect as much information as they legally can about their users. For the vast majority of companies, this information amounts to nothing more than data that is aggregated into website analytics for advertising or search engine optimization (SEO) purposes. However, if the trackers are embedded in the wrong locations—near patient health or financial forms or near credentials and logins—then businesses are at risk of non-compliance with regulations and standards and having highly sensitive customer information fall into the wrong hands.
When It Comes to Web Trackers and JavaScript Security, Should You Worry?
The long and short answers are both yes. First and foremost, improperly used web trackers could result in significant regulatory violations, including HIPAA, General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS), and others. Penalties for compliance violations include fines and reputation damage.
Even more concerning, a recent study conducted by several researchers from Radboud University and the University of Lausanne found that thousands of websites among the world’s top 100,000 were leaking information entered into site forms. This information included “personal identifiers, email addresses, usernames, passwords, or even messages entered into forms and then deleted and never actually submitted.” While the trackers themselves were only intended to monitor end user activity or determine anonymous user preferences, because tracker code was embedded near areas that collected sensitive data, both the user activity and the sensitive information were ultimately sent to third parties. This presents serious privacy and security issues, since no one wants their user name and password data leaked to employees working at third-party advertisers.
How Can Businesses Improve Web Tracker Security?
To improve the security associated with web trackers, businesses should apply JavaScript security best practices to both the development and AppSec lifecycles. Key steps include using automated monitoring and inspection to avoid the time and problems associated with manual code reviews. A purpose-built solution that automates the process can be a fast and easy way to identify unauthorized script activity. In addition, an automated content security policy (CSP) tool can help businesses better manage policies and any vulnerabilities within the policies on their web applications. Automated CSP tools identify all your first- and third-party scripts, your digital assets, and the data they can access. The tool then generates appropriate Content Security Policies based on crawled data and anticipated effectiveness.
