All Eyes On Me: Inside Third Party Trackers Exfiltration of PHI from Healthcare Providers Online Systems

Mingjia Huo, Maxwell Bland, Kirill Levchenko

Research output: Chapter in Book/Report/Conference proceedingConference contribution

Abstract

In the United States, sensitive health information is protected under the Health Insurance Portability and Accountability Act (HIPAA). This act limits the disclosure of Protected Health Information (PHI) without the patient's consent or knowledge. However, as medical care becomes web-integrated, many providers have chosen to use third-party web trackers for measurement and marketing purposes. This presents a security concern: third-party JavaScript requested by an online healthcare system can read the website's contents, and ensuring PHI is not unintentionally or maliciously leaked becomes difficult. In this paper, we investigate health information breaches in online medical records, focusing on 459 online patient portals and 4 telehealth websites. We find 14% of patient portals include Google Analytics, which reveals (at a minimum) the fact that the user visited the health provider website, while 5 portals and 4 telehealth websites contained JavaScript-based services disclosing PHI, including medications and lab results, to third parties. The most significant PHI breaches were on behalf of Google and Facebook trackers. In the latter case, an estimated 4.5 million site visitors per month were potentially exposed to leaks of personal information (names, phone numbers) and medical information (test results, medications). We notified healthcare providers of the PHI breaches and found only 15.7% took action to correct leaks. Healthcare operators lacked the technical expertise to identify PHI breaches caused by third-party trackers. After notifying Epic, a healthcare portal vendor, of the PHI leaks, we received a prompt response and observed extensive mitigation across providers, suggesting vendor notification is an effective intervention against PHI disclosures.

Original languageEnglish (US)
Title of host publicationWPES 2022 - Proceedings of the 21st Workshop on Privacy in the Electronic Society, co-located with CCS 2022
PublisherAssociation for Computing Machinery
Pages197-211
Number of pages15
ISBN (Electronic)9781450398732
DOIs
StatePublished - Nov 7 2022
Event21st Workshop on Privacy in the Electronic Society, WPES 2022 - Los Angeles, United States
Duration: Nov 7 2022 → …

Publication series

NameWPES 2022 - Proceedings of the 21st Workshop on Privacy in the Electronic Society, co-located with CCS 2022

Conference

Conference21st Workshop on Privacy in the Electronic Society, WPES 2022
Country/TerritoryUnited States
CityLos Angeles
Period11/7/22 → …

Keywords

  • hipaa
  • protected health information
  • web privacy
  • web tracking

ASJC Scopus subject areas

  • Software

Fingerprint

Dive into the research topics of 'All Eyes On Me: Inside Third Party Trackers Exfiltration of PHI from Healthcare Providers Online Systems'. Together they form a unique fingerprint.

Cite this