research-article

Public Access

All Eyes On Me: Inside Third Party Trackers' Exfiltration of PHI from Healthcare Providers' Online Systems

Authors:

Kirill LevchenkoAuthors Info & Claims

WPES'22: Proceedings of the 21st Workshop on Privacy in the Electronic Society

Pages 197 - 211

https://doi.org/10.1145/3559613.3563190

Published: 07 November 2022 Publication History

Abstract

In the United States, sensitive health information is protected under the Health Insurance Portability and Accountability Act (HIPAA). This act limits the disclosure of Protected Health Information (PHI) without the patient's consent or knowledge. However, as medical care becomes web-integrated, many providers have chosen to use third-party web trackers for measurement and marketing purposes. This presents a security concern: third-party JavaScript requested by an online healthcare system can read the website's contents, and ensuring PHI is not unintentionally or maliciously leaked becomes difficult. In this paper, we investigate health information breaches in online medical records, focusing on 459 online patient portals and 4 telehealth websites. We find 14% of patient portals include Google Analytics, which reveals (at a minimum) the fact that the user visited the health provider website, while 5 portals and 4 telehealth websites contained JavaScript-based services disclosing PHI, including medications and lab results, to third parties. The most significant PHI breaches were on behalf of Google and Facebook trackers. In the latter case, an estimated 4.5 million site visitors per month were potentially exposed to leaks of personal information (names, phone numbers) and medical information (test results, medications). We notified healthcare providers of the PHI breaches and found only 15.7% took action to correct leaks. Healthcare operators lacked the technical expertise to identify PHI breaches caused by third-party trackers. After notifying Epic, a healthcare portal vendor, of the PHI leaks, we received a prompt response and observed extensive mitigation across providers, suggesting vendor notification is an effective intervention against PHI disclosures.

References

[1]

2013. Breach Notification Rule. https://www.hhs.gov/hipaa/forprofessionals/breach-notification.

[2]

2019. Today's Firefox Blocks Third-Party Tracking Cookies and Cryptomining by Default. https://blog.mozilla.org/products/firefox/todaysfirefox-blocks-third-party-tracking-cookies-and-cryptominingby-default/.

[3]

2020. Full Third-Party Cookie Blocking and More. https://webkit.org/blog/ 10218/full-third-party-cookie-blocking-and-more/.

[4]

2020. Google Analytics Click Tracking: Complete Guide. https://diib.com/ learn/google-analytics-click-tracking/.

[5]

2020. SameSite Cookies Explained. https://web.dev/samesite-cookiesexplained/.

[6]

2021. 100 of the Largest Hospitals and Health Systems in America. https://www.beckershospitalreview.com/100-of-the-largesthospitals-and-health-systems-in-america-2021.html.

[7]

2021. What is Telehealth? https://www.telehealth.com/what-istelehealth/.

[8]

2022. 10 of the Best Telemedicine Companies for 2022. https://www. healthline.com/health/best-telemedicine-companies.

[9]

2022. Accessing and Downloading Your Facebook Information. https://www. facebook.com/help/contact/180237885820953.

[10]

2022. Automatic Configuration. https://developers.facebook.com/docs/ meta-pixel/advanced.

[11]

2022. Google's Service Specific Terms. https://cloud.google.com/terms/ service-terms.

[12]

2022. LinkedIn Cookie Table. https://www.linkedin.com/legal/l/cookietable.

[13]

2022. Meta Privacy Policy. https://www.facebook.com/privacy/policy/ ?entry_point=data_policy_redirect&entry=0.

[14]

2022. MyChart. https://www.mychart.com/.

[15]

2022. Personalized Advertising. https://support.google.com/adspolicy/ answer/143465?hl=en&ref_topic=7012636.

[16]

2022. Privacy Policy of the Children's Wisconsin App. https://childrenswi. org/about/privacy-practices/childrens-wi-app-privacy-policy.

[17]

2022. What is Considered Protected Health Information Under HIPAA? https://www.hipaajournal.com/what-is-considered-protectedhealth-information-under-hipaa/.

[18]

Katie Adams. 2021. 7 Stats that Show How Americans Used Telehealth in 2021. https://www.beckershospitalreview.com/telehealth/7-statsthat-show-how-americans-used-telehealth-in-2021.html.

[19]

Ryan Amos, Gunes Acar, Elena Lucherini, Mihir Kshirsagar, Arvind Narayanan, and Jonathan Mayer. 2021. Privacy Policies Over Time: Curation and Analysis of a Million-Document Dataset. In Proceedings of the Web Conference 2021. 2165--2176.

Digital Library

[20]

George J Annas. 2003. HIPAA Regulations: A New Era of Medical-Record Privacy? New England Journal of Medicine 348 (2003), 1486.

[21]

Dixie B Baker. 2006. Privacy and Security in Public Health: Maintaining the Delicate Balance between Personal Privacy and Population Safety. In 22nd Annual Computer Security Applications Conference (ACSAC'06). IEEE, 3--22.

Digital Library

[22]

Tomasz Bujlow, Valentín Carela-Español, Josep Sole-Pareta, and Pere Barlet-Ros. 2017. A Survey on Web Tracking: Mechanisms, Implications, and Defenses. Proc. IEEE 105, 8 (2017), 1476--1510.

[23]

Inma Carrión, Jose L Fernández-Alemán, and Ambrosio Toval. 2011. Usable Privacy and Security in Personal Health Records. In IFIP Conference on HumanComputer Interaction. Springer, 36--43.

[24]

Tate Coray and Warburton Paul. 2021. Hospital Market Share. https://klasresearch.com/report/us-hospital-market-share-2021- emr-purchasing-continued-despite-covid-19/1839.

[25]

Andrea Downing and Eric Perakslis. 2022. Health Advertising on Facebook: Privacy & Policy Considerations. arXiv preprint arXiv:2201.07263 (2022).

[26]

Steven Englehardt and Arvind Narayanan. 2016. Online Tracking: A 1-MillionSite Measurement and Analysis. In Proceedings of the 2016 ACM SIGSAC conference on computer and communications security. 1388--1401.

Digital Library

[27]

Steven Englehardt, Dillon Reisman, Christian Eubank, Peter Zimmerman, Jonathan Mayer, Arvind Narayanan, and Edward W Felten. 2015. Cookies that give you away: The surveillance implications of web tracking. In Proceedings of the 24th International Conference on World Wide Web. 289--299.

Digital Library

[28]

Todd Feathers, Simon Fondrie-Teitler, Angie Waller, and Surya Mattu. 2022. Facebook Is Receiving Sensitive Medical Information from Hospital Websites. https://themarkup.org/pixel-hunt/2022/06/16/facebook-isreceiving-sensitive-medical-information-from-hospital-websites.

[29]

Deepak Garg, Limin Jia, and Anupam Datta. 2011. Policy Auditing Over Incomplete Logs: Theory, Implementation and Applications. In Proceedings of the 18th ACM conference on Computer and communications security. 151--162.

Digital Library

[30]

Becker's Healthcare. 2021. EHR Market Share 2021: 10 Things to Know about Major Players Epic, Cerner, Meditech, and Allscripts. https: //www.beckershospitalreview.com/ehrs/cerner-slips-2nd-yearbut-holds-dominance-alongside-epic-for-ehr-market-share.html.

[31]

Dongseok Jang, Ranjit Jhala, Sorin Lerner, and Hovav Shacham. 2010. An Empirical Study of Privacy-Violating Information Flows in JavaScript Web Applications. In Proceedings of the 17th ACM conference on Computer and communications security. 270--283.

Digital Library

[32]

Balachander Krishnamurthy, Konstantin Naryshkin, and Craig Wills. 2011. Privacy leakage vs. protection measures: the growing disconnect. In Proceedings of the Web, Vol. 2. 1--10.

[33]

Balachander Krishnamurthy and Craig Wills. 2009. Privacy Diffusion on the Web: a Longitudinal Perspective. In Proceedings of the 18th international conference on World wide web. 541--550.

Digital Library

[34]

Balachander Krishnamurthy and Craig E Wills. 2009. On the leakage of personally identifiable information via online social networks. In Proceedings of the 2nd ACM workshop on Online social networks. 7--12.

Digital Library

[35]

Dimi Lee and Christoph Kerschbaumer. 2021. Firefox 87 Trims HTTP Referrers by Default to Protect User Privacy. https://blog.mozilla.org/security/2021/ 03/22/firefox-87-trims-http-referrers-by-default-to-protectuser-privacy/.

[36]

Tai-Ching Li, Huy Hang, Michalis Faloutsos, and Petros Efstathopoulos. 2015. Trackadvisor: Taking Back Browsing Privacy from Third-Party Trackers. In International Conference on Passive and Active Network Measurement. Springer, 277--289.

[37]

Timothy Libert. 2015. Privacy implications of health information seeking on the web. Commun. ACM 58, 3 (2015), 68--77.

Digital Library

[38]

Timothy Libert. 2018. An Automated Approach to Auditing Disclosure of ThirdParty Data Collection in Website Privacy Policies. In Proceedings of the 2018 World Wide Web Conference. 207--216.

Digital Library

[39]

Jonathan R Mayer and John C Mitchell. 2012. Third-Party Web Tracking: Policy and Technology. In IEEE symposium on security and privacy. IEEE, 413--427.

[40]

Maud Nalpas. 2020. A New Default Referrer-Policy for Chrome - strictorigin-when-cross-origin. https://developer.chrome.com/blog/referrerpolicy-new-chrome-default/.

[41]

U.S. News. 2022. Best Hospitals Honor Roll. https://health.usnews.com/ best-hospitals/rankings.

[42]

The Office of the National Coordinator for Health Information Technology (ONC). 2017. Health Care Professional Health IT Developers. https://www.healthit.gov/data/quickstats/health-careprofessional-health-it-developers.

[43]

The Office of the National Coordinator for Health Information Technology (ONC). 2020. Individuals' Access and Use of Patient Portals and Smartphone Health Apps. https://www.healthit.gov/data/data-briefs/individualsaccess-and-use-patient-portals-and-smartphone-health-apps-2020.

[44]

Franziska Roesner, Tadayoshi Kohno, and David Wetherall. 2012. Detecting and Defending Against {Third-Party} Tracking on the Web. In 9th USENIX Symposium on Networked Systems Design and Implementation (NSDI 12). 155-- 168.

[45]

Iskander Sanchez-Rola, Matteo Dell'Amico, Platon Kotzias, Davide Balzarotti, Leyla Bilge, Pierre-Antoine Vervier, and Igor Santos. 2019. Can I Opt Out Yet? GDPR and the Global Illusion of Cookie Control. In Proceedings of the 2019 ACM Asia conference on computer and communications security. 340--351.

Digital Library

[46]

Sebastian Schelter and Jérôme Kunegis. 2016. Tracking the Trackers: A LargeScale Analysis of Embedded Web Trackers. In Tenth International AAAI Conference on Web and Social Media.

[47]

Ali Sunyaev, Tobias Dehling, Patrick L Taylor, and Kenneth D Mandl. 2015. Availability and Quality of Mobile Health App Privacy Policies. Journal of the American Medical Informatics Association 22, e1 (2015), e28--e33.

[48]

Luis Vargas, Logan Blue, Vanessa Frost, Christopher Patton, Nolen Scaife, Kevin RB Butler, and Patrick Traynor. 2019. Digital Healthcare-Associated Infection: A Case Study on the Security of a Major Multi-Campus Hospital System. In NDSS.

[49]

Web Webster. 2021. Google Takeout: Why You Need It and How to Use It. https://www.lifewire.com/what-is-google-takeout-4173795.

[50]

Vera Wesselkamp, Imane Fouad, Cristiana Santos, Yanis Boussad, Nataliia Bielova, and Arnaud Legout. 2021. In-Depth Technical and Legal Analysis of Tracking on Health Related Websites with ERNIE Extension. In Proceedings of the 20th Workshop on Workshop on Privacy in the Electronic Society. 151--166.

Digital Library

[51]

Alexander R Zheutlin, Joshua D Niforatos, and Jeremy B Sussman. 2022. DataTracking on Government, Non-Profit, and Commercial Health-Related Websites. Journal of general internal medicine 37, 5 (2022), 1315--1317.

Cited By

Rauti SVuorinen EPuhtila PCarlsson R(2024)Analysis of Third-Party Data Leaks on Finnish Mental Health Websites2024 47th MIPRO ICT and Electronics Convention (MIPRO)10.1109/MIPRO60963.2024.10569215(1543-1548)Online publication date: 20-May-2024
https://doi.org/10.1109/MIPRO60963.2024.10569215
Rauti SCarlsson RMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Analyzing third-party data leaks on online pharmacy websitesHealth and Technology10.1007/s12553-024-00819-w14:2(375-392)Online publication date: 3-Feb-2024
https://doi.org/10.1007/s12553-024-00819-w
Puhtila PVuorinen ERauti S(2024)Third-Party Data Leaks in the Websites of Finnish Social and Healthcare DistrictsGood Practices and New Perspectives in Information Systems and Technologies10.1007/978-3-031-60215-3_14(139-152)Online publication date: 11-May-2024
https://doi.org/10.1007/978-3-031-60215-3_14
Show More Cited By

Index Terms

All Eyes On Me: Inside Third Party Trackers' Exfiltration of PHI from Healthcare Providers' Online Systems
1. Security and privacy
  1. Human and societal aspects of security and privacy
  2. Software and application security
    1. Web application security

Recommendations

Current Issues in Health Care Informatics

Health care informatics has emerged as a diverse and important new field of study. The field can be very broadly defined as the science that addresses how best to use information to improve health care. The field includes the four areas of ...
Enhancing accountability of electronic health record usage via patient-centric monitoring
IHI '12: Proceedings of the 2nd ACM SIGHIT International Health Informatics Symposium

Electronic Health Record (EHR) and Personal Health Record (PHR) systems could allow patients to better manage their health information and share it to enhance the quality and efficiency of their healthcare. Unfortunately, misuse of information stored in ...
Anonymization of DICOM electronic medical records for radiation therapy

Electronic medical records (EMR) and treatment plans are used in research on patient outcomes and radiation effects. In many situations researchers must remove protected health information (PHI) from EMRs. The literature contains several studies ...

Comments

Information & Contributors

Information

Published In

cover image ACM Conferences

WPES'22: Proceedings of the 21st Workshop on Privacy in the Electronic Society

November 2022

227 pages

ISBN:9781450398732

DOI:10.1145/3559613

Program Chairs:
Yuan Hong
University of Connecticut, USA
,
Lingyu Wang
Concordia University, Canada

Copyright © 2022 ACM.

Permission to make digital or hard copies of all or part of this work for personal or classroom use is granted without fee provided that copies are not made or distributed for profit or commercial advantage and that copies bear this notice and the full citation on the first page. Copyrights for components of this work owned by others than the author(s) must be honored. Abstracting with credit is permitted. To copy otherwise, or republish, to post on servers or to redistribute to lists, requires prior specific permission and/or a fee. Request permissions from [email protected].

Sponsors

SIGSAC: ACM Special Interest Group on Security, Audit, and Control

Publisher

Association for Computing Machinery

New York, NY, United States

Publication History

Published: 07 November 2022

Permissions

Request permissions for this article.

Request Permissions

Check for updates

Author Tags

Qualifiers

Research-article

Funding Sources

US National Science Foundation

Conference

CCS '22

Sponsor:

SIGSAC

CCS '22: 2022 ACM SIGSAC Conference on Computer and Communications Security

November 7, 2022

CA, Los Angeles, USA

Acceptance Rates

Overall Acceptance Rate 106 of 355 submissions, 30%

Upcoming Conference

CCS '24

Sponsor:
sigsac

ACM SIGSAC Conference on Computer and Communications Security

October 14 - 18, 2024

Salt Lake City , UT , USA

Contributors

Other Metrics

View Article Metrics

Bibliometrics & Citations

Bibliometrics

Article Metrics

7
Total Citations
View Citations
795
Total Downloads

Downloads (Last 12 months)645
Downloads (Last 6 weeks)137

Reflects downloads up to 11 Aug 2024

Other Metrics

View Author Metrics

Citations

Cited By

Rauti SVuorinen EPuhtila PCarlsson R(2024)Analysis of Third-Party Data Leaks on Finnish Mental Health Websites2024 47th MIPRO ICT and Electronics Convention (MIPRO)10.1109/MIPRO60963.2024.10569215(1543-1548)Online publication date: 20-May-2024
https://doi.org/10.1109/MIPRO60963.2024.10569215
Rauti SCarlsson RMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Analyzing third-party data leaks on online pharmacy websitesHealth and Technology10.1007/s12553-024-00819-w14:2(375-392)Online publication date: 3-Feb-2024
https://doi.org/10.1007/s12553-024-00819-w
Puhtila PVuorinen ERauti S(2024)Third-Party Data Leaks in the Websites of Finnish Social and Healthcare DistrictsGood Practices and New Perspectives in Information Systems and Technologies10.1007/978-3-031-60215-3_14(139-152)Online publication date: 11-May-2024
https://doi.org/10.1007/978-3-031-60215-3_14
Carlsson RRauti SMickelsson SMäkilä THeino TPirjatanniemi ELeppänen V(2024)Several Online Pharmacies Leak Sensitive Health Data to Third PartiesInformation Systems and Technologies10.1007/978-3-031-45642-8_16(164-175)Online publication date: 16-Feb-2024
https://doi.org/10.1007/978-3-031-45642-8_16
Carlsson RRauti SHeino T(2023)Data leaks to third parties in web services for vulnerable groups2023 46th MIPRO ICT and Electronics Convention (MIPRO)10.23919/MIPRO57284.2023.10159942(1208-1212)Online publication date: 22-May-2023
https://doi.org/10.23919/MIPRO57284.2023.10159942
Rauti SVuorinen ECarlsson RPuhtila P(2023)Data Leaks to Third-Party Services on Medical Websites2023 16th International Conference on Security of Information and Networks (SIN)10.1109/SIN60469.2023.10475119(1-7)Online publication date: 20-Nov-2023
https://doi.org/10.1109/SIN60469.2023.10475119
Vuorinen EPuhtila PRauti SLeppänen V(2023)From Whistle to Echo: Data Leaks in Web-Based Whistleblowing ChannelsSecure IT Systems10.1007/978-3-031-47748-5_3(37-53)Online publication date: 16-Nov-2023
https://dl.acm.org/doi/10.1007/978-3-031-47748-5_3

View Options

View options

PDF

View or Download as a PDF file.

eReader

View online with eReader.

Get Access

Login options

Check if you have access through your login credentials or your institution to get full access on this article.

Full Access

Get this Publication

Media

Figures

Other

Tables

View Table of Contents