Monument and Tempest, both offering tools for patients battling with alcohol addiction, have come under fire for exposing patient information. The companies attribute the intrusion to the pixel-tracking software they installed on their websites for marketing purposes. According to an earlier TechCrunch investigation, the online alcohol rehabilitation services acknowledged exchanging confidential patient information with marketers for years.
According to a disclosure Monument (which purchased Temple in 2022) filed with the California Attorney General, the tracking techniques used on both services may have shared:
- Email addresses
- Phone numbers
- Home locations
- Insurance information
The responses of patients to self-evaluations of their drinking habits, which Monument expressly states are “protected” and utilized solely by its care teams, may also have been exposed.
Pixel Tracking Within the Businesses
After the U.S. Department of Health and Human Services (HHS) released advice on monitoring pixels in late 2022, Monument evaluated its usage of them. Health companies are cautioned by the HHS against using pixel-tracking software as they may subject them to legal action for violating patient privacy.
Literally, a tracking pixel is a tiny, frequently invisible software that displays on a user’s screen. It accomplishes the same task as a browser cookie, albeit there are several clear distinctions and benefits.
Pixels are created by companies such as:
From these well-known companies, the tracking pixels can be embedded into:
They keep track of information about user clicks and form submissions, which is then used by both parties to develop custom advertisements or to better understand their respective user bases.
Monument & Tempest Past Offenses
As stated in its disclosure, Monument discovered that user information had been exposed by its pixel tracking technologies on Tempest’s site as far back as November 2017, and on the Monument website as of January 2020. By the end of 2022, Monument claims it had stopped using “most” tracking tools, and by February 23rd, 2023, it had “fully disconnected” them from Monument’s websites.
The cases of Monument and Tempest are strikingly comparable to recent data breaches affecting very well-known companies that also dealt with pixel tracking.
These companies include:
- Cerebral Health
BetterHelp and GoodRx were recently fined $7.8 million by the Federal Trade Commission for allegedly sharing patient data with Facebook and Snapchat, and Cerebral recently acknowledged disclosing the personal data of more than 3.1 million patients to Google, Meta, TikTok, and other third-party advertisers.
Monument Behind the Scenes
According to the corporation, it relies on the “actions you took on the Monument website, the configuration of the tracking technologies,” as well as the configuration of the web browser that accessed the site. In the case of Monument, the quantity of information that is revealed varies from user to user. However, according to Monument, the leak did not contain Social Security numbers or credit card information, and it may have impacted just over 100,000 people.
In a statement sent via email to The Verge, Monument CEO Mike Russell states that “protecting our patients’ privacy is a top priority. We have implemented strong security measures and will keep using the right ones to protect data. Additionally, we have severed ties with third-party advertisers who refuse to abide by our contractual obligations and the law.”
In the Grand Scheme of Tracking Pixels
Ultimately, web tracking can be overlooked but can potentially pose extra concerns to patient privacy.
These small pieces of code, which are used to track and gather information from website visitors, officially known as “tracking cookies” or “tracking pixels,” are installed on many websites. The same is true in the healthcare industry, where this data aids firms in creating tailored audiences, analyzing website conversion, and providing improved customer experiences.
In December 2022, HHS released an advisory cautioning against the usage of cookies and data tracking technology as they may be the cause of HIPAA violations. This warning can serve as a reminder that certain precautions, like contractual safeguards, are necessary, especially when seeking a business engagement with a business associate, covered entity, or third-party data collectors of protected health information (PHI).
It is crucial to consider the consequences of improper data collection, the sharing of PHI, and HIPAA violations before beginning any form of business transaction or hiring a third party data collector. The HHS bulletin makes it very clear that PHI that is often acquired online through portals or mobile applications requires special attention.