Invisible Codes on Hospital Websites Put Patient Data at Risk

When patients visit a hospital website to find physicians, research conditions or schedule appointments, tiny pieces of embedded code can transmit their Internet Protocol (IP) addresses and browsing behavior to companies such as Meta and Google.

These code snippets, known as tracking pixels, are standard internet tools that target advertising and measure how people interact with websites. Still, their widespread use in health care has consequences that a Rutgers-led study in PNAS Nexus is the first to quantify.

Researchers at Rutgers Business School-Newark and New Brunswick analyzed 12 years of website data from 1,201 hospitals. They found that 66% of the hospitals used third-party tracking pixels and that those hospitals were 46% more likely to experience a data breach.

“The problem with third-party pixel tracking is that hospitals are sharing patients’ information with so many vendors,” said Maria Zhang, a doctoral degree candidate at Rutgers Business School-Newark and New Brunswick and one of the study’s three authors. “What ends up happening is you don’t know, as an organization, where your patients’ data went.”

In 2022, health system Advocate Aurora Health reported its website's tracking pixels exposed data from roughly 3 million patients. The following year, Community Health Network disclosed a pixel-related breach affecting about 1.5 million patients.

Unlike cookies, which users can block or clear from their devices, tracking pixels exist in website code and typically transmit information to outside vendors the moment a page loads.

Hospitals consciously use tracking pixels for marketing, website analytics and public health surveillance, such as tracking rising searches for particular diseases. But the researchers found that hospitals sometimes underestimate how many pixel trackers commercial software uses and how much data those trackers collect.

“Sometimes organizations may not even be questioning every single use of tracking pixels. It’s kind of part of the whole data analytics suite,” said Hilal Atasoy, an associate professor at Rutgers Business School-Newark and New Brunswick who led the study.

Although the privacy rules in the 1996 Health Insurance Portability and Accountability Act focus more on individual patient records than web-browsing behavior, the Department of Health and Human Services (HHS) issued a bulletin in December 2022 clarifying that IP addresses linked to hospital web pages could constitute protected health information. 

In 2023, HHS and the Federal Trade Commission sent warning letters to 130 health care providers. The American Hospital Association responded by filing an unresolved suit that argues regulatory overreach.

Despite the regulatory scrutiny, the study found that hospital use of tracking pixels continued to climb through 2023, all with little attention from the general public or privacy advocates. 

“What I was most surprised about is how long these have been in use and how much they went under the radar,” said Ryan McDonough, an assistant professor at the business school who co-authored the study. “Nobody even talked about them.”

Hospitals that want the benefits of pixel trackers without the risk of data breaches do have an option: writing their own software. Rutgers researchers found no rise in data breaches at hospitals with homegrown software because their pixel trackers never transmitted the data they collected to any third parties. However, only the largest and richest hospital systems have the resources to write custom analytics software from scratch.

As for patients, they have limited options. Virtual private networks, or VPNs, can mask an IP address, but they cost money and complicate Internet usage.