Be Careful How You Use Tracking Pixels

Tracking pixels are those tiny, invisible beacons that companies like Google and Facebook use to capture information about what you are doing, send it back to the mother ship, aggregate it with other data and then use it, mostly, for advertising purposes. Of course it can be used for many other purposes as well.

The problem comes from the fact that collecting this data without user consent – or at least without effective user consent – might break the law.

While you might only be using it to track visitors to your website, Google or others might be using it for many other purposes.

Many websites have dozens of these beacons on each page you visit. Tools like Ghostery (used to be free, but no longer) and Privacy Badger (free from the EFF) will help you understand how many there are and block them.

So how can that go badly?

Advocate Aurora Health, a 26 hospital system in Wisconsin and Illinois is notifying 3,000,000 patients that their data was exposed. That is a pretty large data breach. In their case, it comes from Facebook pixels that glommed on to user data on the page(s) where they were installed by the hospital.

We have seen other hospitals declare breaches for similar reasons.

As state privacy laws get stronger, these lawsuits could become more common.

In August, Novant Health also declared a breach of over a million patients for similar reasons.

Here is where it gets interesting. What data do you think those Google or Facebook pixels might capture? Here is a partial list:

  • IP address
  • Date, time and location of scheduled appointment
  • Proximity to the hospital’s location
  • Medical provider information
  • Type of appointment or procedure
  • Communication between MyChart (their patient portal software) users
  • Insurance information
  • Proxy account information

This will be expensive to deal with, both from a remediation standpoint and a lawsuit one.

So a word to the wise. Make sure you know what those beacons are capturing and if you are not sure, please contact us.

Credit: Bleeping Computer

Leave a Reply

Your email address will not be published. Required fields are marked *