Epic data breach highlights issues with ad tracking pixel technology

A common digital advertising tactic may leave your patient or customer data vulnerable to a breach.

Innovations in digital advertising and marketing have made it easier than ever to understand patient and customer behavior, and these evolving strategies help healthcare delivery organizations and other companies better understand how to talk to their audience, tailoring content to their specific needs. The problem is that one vulnerability could compromise the privacy of those same individuals’ data.

A healthcare facility recently suffered a unique data breach due to ad-tracking technology on a patient portal. It was indeed unique, but for how long? To keep your organization safe, you’ll need to understand what happened, why it happened, and what you can do to keep a similar type of data breach from happening to your organization.

What happened: An Epic patient portal breach

According to a report from Becker’s Health IT, a Wisconsin-based health clinic suffered a data breach that might have compromised the data of 134,000 patients. The clinic receives Epic EHR access.

The clinic informed its patients that it may have shared their data – including names, appointment information, and messages – with either Google or Facebook after leveraging pixel ad-tracking technology on its Epic patient portal.

Breaches like this one could lead to a serious privacy issue for healthcare delivery organizations using a specific kind of digital advertising tactic. But what is pixel tracking, and how exactly does it work?

What is a tracking pixel ad and how does it work?

Pixels are defined as “code that can be embedded… to track a user’s presence on [a] website.” A user’s presence includes activities they engage in on a site, such as the search terms they use, the pages they view, and the sections of the site they interact with most.

There’s a good chance you’ve visited multiple websites that use pixel technology, as many websites use it. The advantage for an organization operating its site is that it provides valuable customer data that can then be used to build customized marketing campaigns. This includes healthcare delivery organizations who deliver their data to sites such as Google to improve the effectiveness of their marketing efforts.

While many healthcare delivery organizations use pixels on their public-facing sites, some also insert them into their patient portals. That’s where they could potentially expose private patient data to hackers.

What you can do to remain secure

The challenge for healthcare delivery organizations – as well as any other companies entrusted with customer data – is that data breaches such as the one described above have the potential to erode patient or customer trust.

You won’t want to rely on third-party companies who make money from these advertisements to protect individual privacy, either. Facebook raked in over $113 billion in ad revenue in 2022, while Google made over $70 billion. These companies won’t value privacy because the lack of privacy makes their content more valuable to advertisers, driving revenue up.

These types of incidents are further eroding patient trust in care provider’s ability to keep their information safe and private. As patient trust erodes, there will be a larger volume of complaints or inquiries into how their PHI is handles and secured.

You’ll need a credible method for securing the data and responding to complaints as customers use data breaches to examine how their vendors keep their data private and secure. Using a patient privacy monitoring solution that protects patient data can provide credible context for user access in the event of a complaint and investigation.

The right patient privacy monitoring solution for your healthcare organization will lead with privacy and compliance – they won’t be afterthoughts. They are treated as functional and technical requirements and given the same weight as other critical capabilities such as data handling.

Make sure you’re able to prevent data breaches and grow trust within your Epic environment. Learn more about how Imprivata incorporates privacy into its design process to ensure data is handled securely and responsibly.