Monument & Tempest Past Offenses
As stated in its disclosure, Monument discovered that user information had been exposed by its pixel tracking technologies on Tempest’s site as far back as November 2017, and on the Monument website as of January 2020. By the end of 2022, Monument claims it had stopped using “most” tracking tools, and by February 23rd, 2023, it had “fully disconnected” them from Monument’s websites.
The cases of Monument and Tempest are strikingly comparable to recent data breaches affecting very well-known companies that also dealt with pixel tracking.
These companies include:
BetterHelp and GoodRx were recently fined $7.8 million by the Federal Trade Commission for allegedly sharing patient data with Facebook and Snapchat, and Cerebral recently acknowledged disclosing the personal data of more than 3.1 million patients to Google, Meta, TikTok, and other third-party advertisers.
Monument Behind the Scenes
According to the corporation, it relies on the “actions you took on the Monument website, the configuration of the tracking technologies,” as well as the configuration of the web browser that accessed the site. In the case of Monument, the quantity of information that is revealed varies from user to user. However, according to Monument, the leak did not contain Social Security numbers or credit card information, and it may have impacted just over 100,000 people.
In a statement sent via email to The Verge, Monument CEO Mike Russell states that “protecting our patients’ privacy is a top priority. We have implemented strong security measures and will keep using the right ones to protect data. Additionally, we have severed ties with third-party advertisers who refuse to abide by our contractual obligations and the law.”
In the Grand Scheme of Tracking Pixels
Ultimately, web tracking can be overlooked but can potentially pose extra concerns to patient privacy.
These small pieces of code, which are used to track and gather information from website visitors, officially known as “tracking cookies” or “tracking pixels,” are installed on many websites. The same is true in the healthcare industry, where this data aids firms in creating tailored audiences, analyzing website conversion, and providing improved customer experiences.
In December 2022, HHS released an advisory cautioning against the usage of cookies and data tracking technology as they may be the cause of HIPAA violations. This warning can serve as a reminder that certain precautions, like contractual safeguards, are necessary, especially when seeking a business engagement with a business associate, covered entity, or third-party data collectors of protected health information (PHI).
It is crucial to consider the consequences of improper data collection, the sharing of PHI, and HIPAA violations before beginning any form of business transaction or hiring a third party data collector. The HHS bulletin makes it very clear that PHI that is often acquired online through portals or mobile applications requires special attention.