by
Gus Iversen, Editor in Chief | April 12, 2023
New research suggests that virtually all hospital websites may be sharing data with third-party trackers, raising patient privacy red flags.
The study,
published by Health Affairs, focused on homepages and found over 98% of them had at least one third-party data transfer and over 94% had at least one cookie in August 2021. The data was collected from 3,747 hospital homepages.
Tracking codes are typically used by technology vendors who might offer website analytics, social media widgets or information about how online advertisements perform in exchange for access to that data. The most commonly cited third-party trackers were Alphabet (the parent of Google), Meta (the parent of Facebook), and Adobe Systems. Others included AT&T, Microsoft, Amazon, and many more.
"Hospitals in health systems, hospitals with a medical school affiliation, and hospitals serving more urban patient populations all exposed visitors to higher levels of tracking in adjusted analyses," wrote the researchers. "By including third-party tracking code on their websites, hospitals are facilitating the profiling of their patients by third parties."
In response to the findings, the healthcare safety advocacy group ECRI issued a statement saying the findings underscored the need to update health IT regulations, like HIPAA, to address practices that have developed since their enactment.
“Hospitals must stop this practice immediately by removing third party tracking from their websites and, along with advertisers, take responsibility or be held liable for any harm that can be traced back to a data sharing arrangement," said ECRI president, Dr. Marcus Schabacker. "In partnership with their chief information security officers, hospitals should alert patients who had their private health data compromised and warn them about potential risks. In cases where a clear violation has been committed, legal action may be warranted."
To conduct the study, researchers used an open source tool called WebXray that records third-party tracking, and recorded data requests on hospital websites that initiated data transfers to third-party domains over a three day period in August 2021.
