Online activities are tracked by nearly every website you visit – whether you are shopping, surfing, or engaging in social media.

The Purpose of Web Tracking

You might ask yourself why is anyone interested in what food I buy or what hobbies I enjoy? Most of us lead pretty tame lives regarding our web browsing history. However, website owners, ISP providers, data broker companies, advertising agencies, and big tech firms see great value in tracking our activity.

They use this data collection to create a profile of you as a user, tailoring your web experience to be customized to your interests and the ads you see. You have probably noticed that after searching online for a product, you see multiple ads for these same products and related products. Coincidence? Not at all.

While the intent is clearly to make money through advertising, there can be a more sinister side to this data collection via web trackers. After all, there is an exceptionally fine line when it comes to user privacy. Do we really know how our data is being used and how this line is being crossed?

Types of Web Trackers

Web trackers come in various forms, each serving distinct purposes for monitoring user behavior online.

Cookies

Cookie-based trackers are the most common, storing small text files on a user’s device to remember preferences and track site visits.

Third-Party Cookies

Created by websites other than the one being visited, these cookies monitor a user’s activity across the web and use their information for ad-serving and retargeting.

Pixel Trackers

Pixel trackers, also known as web beacons or tracking pixels, are tiny, often invisible images embedded in web pages or emails that signal when a page is viewed or an email is opened.

Fingerprinting

Fingerprinting is a more sophisticated method that collects information about a user’s device, such as browser type, operating system, and installed plugins, to create a unique identifier.

Script-Based Trackers

Script-based trackers use JavaScript to gather data on user interactions, such as clicks and mouse movements. These trackers are utilized for various reasons, including analytics, advertising, and enhancing user experience.

Single Sign-On and Browser Accounts

Furthermore, devices are more connected than ever through single sign-on accounts like Google, meaning that mobile browsing, your laptop, and other devices experience the same browser tracking. Also, logging into the web browser itself allows companies to track our online activity more effectively across different devices and sessions.

Session Cookies vs Persistent Cookies

Session cookies are temporary cookies that are deleted once the user closes their browser, and they are used to track the user’s activities within a single session, such as keeping items in a shopping cart. Persistent cookies, on the other hand, remain on the user’s device for a set period or until manually deleted, allowing websites to remember user preferences, login information, and other settings across multiple sessions.

Why are some Internet Trackers Dangerous?

Web trackers can compromise privacy by collecting personal data without consent. The user has no control over how that information is managed – it can be shared and sold to third parties like data brokers, and then sold again, even to foreign governments.

Web trackers can also be used to manipulate search results and recommendations that limit how users see the world. For example, to reinforce political beliefs, sway public opinions, or serve business interests. Persistent cookies are used to retain your username and passwords for login sites, keep your shopping cart intact, and automatically fill in form data. However, what is the potential tradeoff for this convenience?

One of the most sinister issues with persistent cookies in cyberspace is a phenomenon called cookie poisoning. This is a type of cyber-attack in which a bad actor can hijack, forge, or alter the cookie to gain unauthorized access to a user’s account. They can even then use the information to open a new account and steal the user’s name for identity theft. Imagine the damage this can do if a hacker enters your online banking, healthcare patient portal, cash transfer app, or other sensitive accounts! Furthermore, users don’t usually know that a second party is signed into their account until long after the damage is done. Even if the hacker doesn’t directly use your information at the time, data can be gathered and sold on the dark web to other parties.

The Healthcare Sector is the Newest Target

With recent, highly publicized reports of huge data breaches among healthcare giants, the issue of online tracking technologies on healthcare-related websites has moved to the front. Law firm BakerHostetler reported in its 2024 Data Security Incident Response Report:

“We are currently defending more than 300 privacy or data security lawsuits. Over 100 of those cases involve claims related to website tracking technologies (compared to 50+ in 2022).”

California law, specifically the California Invasion of Privacy Act (CIPA) and the Computer Data Access and Fraud Act (CDAFA) is cited in dozens of lawsuits alleging that cross-referencing tracker data with commercially available information violates individual privacy rights. Furthermore, lawsuits that bring claims under CIPA allege that the tracker technology accesses information without obtaining consent. Damages under CIPA and CDAFA can amount to $5,000 per violation, plus punitive damages and attorney fees.

Kaiser Foundation Breach

At least one major breach at California healthcare conglomerate Kaiser Permanente can be attributed to web trackers. The organization was tasked in May with notifying millions of current and former members of a data breach.

Tracking tools formerly installed on Kaiser websites and mobile apps may have transmitted information to third-party advertisers including Google, Microsoft, and X (Twitter). The information transmitted included member names and IP addresses, as well as information revealing if members were signed into a Kaiser account and how members interacted with and navigated the site.

Guidance issued by the Department of Health and Human Services Office of Civil Rights in 2022 warned healthcare providers that allowing third-party tech companies to collect and analyze information from visitors of their websites could potentially violate HIPAA. HIPAA violations of this magnitude (millions of users and health records) could be heavily penalized and result in crippling fines.

Opponents of the DHHS guidance argue that the department went too far by interpreting “individually identified health information” protected by HIPAA as inclusive of metadata from a user’s public website searches, such as in the Kaiser case. The American Hospital Association, as well as several smaller groups, have filed suit against the U.S. DHHS in federal court.

The newest development in this ongoing issue happened June 20, 2024, as a federal judge in Texas ruled that guidance issued by President Biden’s administration that bars hospitals from using online tracking technology was unlawful.

In the face of ongoing attacks on healthcare entities by hacking groups, continued scrutiny of healthcare data and how it is collected and used can be expected.

RecordQuest

As a valuable partner to healthcare organizations across the country, RecordQuest’s priority is to protect patient privacy while fulfilling requests as quickly, yet compliantly as possible. RecordQuest handles the details so that healthcare organizations can allocate resources where they are most needed – providing excellent healthcare in their respective communities. Ready for a trusted partner to help navigate the rough waters of healthcare release of information requests? Contact RecordQuest’s experts for detailed information.