Third-party tracking pixels raise hospital breach risk by 46%

Two-thirds of US hospitals use tracking technology that sends patient data to external vendors, and most have no visibility into what happens to that data after it leaves.

What happened

Rutgers University researchers analyzed website data from 1,201 US hospitals spanning 2012 to 2023. They found that hospitals using third-party tracking pixels were 46% more likely to experience a data breach than those that did not. According to HealthTechSecurity, 66% of hospitals in the study used third-party tracking pixels. In comparison, only 14% had implemented first-party alternatives that keep collected data within the organization's own systems. The study, published in the peer-reviewed journal PNAS Nexus, also found hospitals using third-party pixels were linked to a 13% increase in unintended disclosures, the breach category most associated with pixel use. Hospitals that used only first-party pixels showed no substantial relationship with breaches.

Going deeper

Third-party tracking pixels are small code snippets embedded in websites that transmit user activity data, browsing behavior, IP addresses, and sometimes condition-related page visits to external vendors, including Meta and Google. Unlike cookies, which users can block or delete, pixels fire automatically when a page loads. Hospitals use them for marketing analytics, patient engagement campaigns, and monitoring public interest in health topics. The problem is that once data leaves the hospital's environment, the organization loses visibility into how it is stored, shared, or secured by the vendor. Cross-site tracking compounds the risk: vendors can aggregate data from multiple hospital websites and reconstruct behavioral patterns that infer health conditions, even without a formal diagnosis appearing in the transmitted data. Rutgers researchers found that hospital pixel use continued to grow through 2023 despite the wave of regulatory scrutiny and litigation that began in 2022. Hilal Atasoy, PhD, an associate professor at Rutgers Business School who led the study, told Becker's Hospital Review that hospitals may not fully understand how many tracking tools are embedded in commercial software systems or the extent of data collection.

What was said

The study stated in PNAS Nexus that "once patient data are transmitted to external vendors, hospitals have limited oversight of how it is stored or shared, making them vulnerable to security lapses in third-party systems," and that "cross-site tracking further heightens these risks, as third-party vendors can aggregate data from multiple websites, making it possible to reconstruct behavioral patterns and infer sensitive health details." The researchers added that "first-party pixels show no significant relationship with breaches, suggesting that external data transmission, rather than pixel technology itself, is the key risk factor."

In the know

The pixel tracking problem has already generated enforcement activity. In 2022 and 2023, HHS and the Federal Trade Commission sent warning letters to 130 hospital systems and telehealth providers regarding the privacy risks posed by tracking technologies, as reported by Becker's Hospital Review. Novant Health notified 1.3 million patients of a Meta Pixel breach after the tool transmitted appointment request information to Facebook without authorization. The broader wave of pixel-related disclosures also triggered dozens of class action lawsuits. HHS issued guidance in 2022 stating that tracking pixels transmitting PHI to third parties without a business associate agreement (BAA) likely violate HIPAA, though subsequent legal challenges complicated enforcement of that position.

The big picture

A 46% breach risk increase tied to a technology that two-thirds of hospitals use for routine marketing puts pixel tracking in the same category as unencrypted email and default passwords, a common practice that healthcare organizations have not yet treated as a security problem requiring active management. The Rutgers study provides the first large-scale empirical confirmation of what the regulatory warnings and lawsuit settlements have suggested since 2022: third-party pixels create measurable, quantifiable breach exposure. Most hospitals adopted these tools without a security review because they were standard across industries, and many still have no inventory of which pixels are active on their sites or what data those pixels transmit. For HIPAA compliant email and broader HIPAA compliance, the parallel is direct: the same logic that requires scrutiny of what leaves an email also applies to what a hospital website transmits automatically to outside vendors on every page load.

FAQs

What makes tracking pixels a HIPAA concern when they are standard web technology?

HIPAA applies when a technology transmits protected health information to a third party without a business associate agreement in place. A pixel that sends data about which condition-specific pages a user visited, combined with identifying information like an IP address, can constitute a PHI disclosure even if no medical record is explicitly shared. The standard web technology defense does not override the underlying privacy obligation.

Why do first-party pixels not carry the same breach risk?

First-party pixels send data only to the hospital's own servers, where the organization retains full control over storage, access, and security. No external vendor receives the information, so there is no third-party security vulnerability to exploit and no unauthorized disclosure to an entity without a BAA.

How does cross-site tracking turn browsing data into sensitive health information?

When a vendor's pixel is embedded across multiple hospital websites, it can link a user's visits across all of them. A pattern of visits to pages about specific conditions, treatment options, or specialist departments allows the vendor to infer health concerns that the user never explicitly disclosed. That inference can be sufficiently detailed to constitute sensitive health information, even without a formal diagnosis in the data.

What should a hospital do to assess its current pixel exposure?

A website audit using tools that scan for third-party scripts and pixels will identify which vendors are receiving data. Each identified vendor should be reviewed for whether a BAA is in place and whether the data being transmitted could constitute PHI. Marketing and analytics teams often manage these tools independently of IT security, so the audit needs to involve both functions.

Does removing third-party pixels require rebuilding the hospital's marketing technology stack?

Not necessarily. Many analytics and patient engagement functions can be replicated using first-party implementations that route data through the hospital's own infrastructure rather than directly to external platforms. The trade-off is that building or configuring first-party analytics requires internal technical resources, a barrier the Rutgers study noted disproportionately affects smaller hospitals without dedicated development staff.