Pixel tracking raises privacy violation risk in healthcare

Pixel tracking raises privacy violation risk in healthcare

The risks of using pixel technology should make companies think twice, especially with the insurance liabilities that privacy violations can create, according to Corvus, an insurance data and technology services provider.

Pixel technology is a means for websites to track user activity that pick up on all of a user’s activity, beyond just the primary website itself. Facebook’s parent, Meta, and Google have been sued for privacy violations in the past year over their use of pixels.

Lauren Winchester, senior vice president of risk and response, Corvus Insurance

“Insurers will have to grapple with the question of whether a pixel-related lawsuit or regulatory inquiry triggers coverage,” said Lauren Winchester, senior vice president of risk and response at Corvus Insurance. “The first claims related to pixel tracking are starting to make their way to insurers. As with all coverage determinations, it comes down to the language of the policy. We’ll know in short order how the market is approaching it.”

Corporate cyber policies cover class action and individual lawsuits, as well as legal representation in response to regulatory actions for privacy violations. The key is whether they are worded just to cover data breaches or deliberate actions that violate privacy, as when a company or site activates a pixel to track a user’s activity. 

“What we’ll see over the next couple months is how insurers react to it and how brokers and customers react to it,” Winchester said. 

Corvus provides scans of companies’ public-facing web infrastructure to catch software vulnerabilities along with pixel tracking. From reviewing these scans, Corvus advises companies’ leaders how to evaluate their privacy risks, to be proactive for Corvus policyholders, according to Winchester.

See also  91 Percent Of Drivers Don't Trust Self-Driving Cars: Survey

The healthcare industry is particularly vulnerable to privacy breach or violation issues because of HIPAA law governing patient confidentiality. On December 1, the U.S. Department of Health and Human Services issued guidance emphasizing that health care insurers, providers and related entities can be subject to penalties for disclosing HIPAA-protected information when they use pixel tracking. 

The guidance means “you need to evaluate what pages pixels were used on and what data was sent,” Winchester said. “And presuming a breach, if patient information was sent, if IP addresses were sent. That will force a lot of healthcare organizations to evaluate the privacy implications of using pixel.”

Corvus recommends its health care industry policyholders stop using tracking pixels. “We think it’s pretty clear that the cost is going to outweigh the benefits there. And counsel agrees with that approach as well,” Winchester said.

Companies, or departments within companies, may not even be aware that they are using pixel tracking, especially if it’s their marketing department using pixels. “Bring those departments together to have a conversation about the usage and to do a risk benefit analysis to ask if the benefits of using this tracking technology really outweigh the risk of liability,” said Winchester. 

“For some industries, the answer right now is yes,” she added. “In online retail, being able to do retargeting ads and drive consumers back to your website to make purchases. In certain industries, it may not be worth it. The group doing cost benefit analysis needs to reevaluate regularly because of how quickly the legal landscape is changing. We also recommend updating privacy policies on websites to be more explicit about the use of tracking technologies. If you’re going to continue using it, make sure you get the right kind of consent from those visiting your website.”

See also  Connecticut Will See A 10% Decrease in Workers’ Compensation Rates in 2024