Written by Ferhat Dikbiyik
Additional Contributor Ekrem Celik
Edited by Haley Williams

The risk of data breaches and data privacy issues related to Facebook/Meta Pixel tracking codes on websites have increased with recent events, particularly healthcare entity breaches. Organizations have begun to raise concerns about their vendors having the particular tracking code. As many companies use Facebook’s tracking code Pixel to provide data for their Facebook Business/Ads accounts, organizations in heavily-regulated industries, such as healthcare, are concerned about the tracking codes’ data collection and transmission capabilities. This is for good reason.

In October, the healthcare company WakeMed notified more than 495,000 patients that their PII was involved in a data breach. The company’s statement to patients noted that “the pixel’s software code may have also transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to Facebook.”

Similarly, a healthcare company Advocate Aurora Health notified 3 million individuals of a breach stemming from the use of tracking pixels, and another healthcare company Novant Health notified 1.3 million individuals of potential unauthorized data disclosures resulting from its use of pixels.

All tied to Facebook’s Pixel code, Facebook’s parent company Meta rejects any wrongdoing, and the code does what it designs to do so. So let’s take a step back, and discuss what exactly Facebook/Meta Pixel does.

What does Facebook/Meta Pixel do?

Facebook/Meta Pixel is a piece of code placed on a website to help measure an organization’s ad effectiveness. It does this by analyzing and understanding how visitors are behaving on the website.

According to Facebook, the Pixel helps customers to:

  • Ensure that ads are shown to the right people
  • Reach people who are more likely to take action
  • Better understand the impact of the ads

Example of Facebook and Meta Pixel Codes in website HTML source codes

But according to some users, Meta doesn’t stop at that. It uses highly sensitive information about patients, their conditions, prescriptions, drugs, and more.

Email and Facebook advertisements included in the complaint

Because Meta Pixel is used on many sites, users become the target audience for certain ads in multiple internet locations. Users claim that Meta’s tracking code is located on the websites of 33 of the top 100 hospitals in the United States.

The number of companies using Facebook/Meta Pixel has been decreasing

There are around 70,000 websites that use legacy Facebook Pixel, and another 10,000 use the rebranded Meta Pixel as of November 21, 2022. The total number, 80,000 now, was more than 90,000 one week ago.

Results on Shodan on November 22, 2022

As the disputes around the privacy issues around the Pixel have been increasing, more and more organizations have removed the Pixel codes from their websites.

Third-party cyber risk related to Facebook/Meta Pixel

Organizations share their data with third-party vendors for their operations. Healthcare institutions must share partial patient information with prescription service providers. If the prescription service provider uses Facebook/Meta Pixel on its website, it may cause a data breach or privacy issue. Organizations need to know all third-parties that currently use Facebook/Meta Pixel within their supply chain.

How to determine vendors using Facebook/Meta Pixel

Black Kite’s FocusTags™ are a fast and straightforward way for platform users to track high-profile cyber events and identify which vendors have been affected within their supply chain. This capability furthers the company’s mission to continuously monitor vendors to identify and mitigate ransomware and other risks. FocusTags™ are automatically applied following high-profile cyber attacks or ongoing conflicts but can also be added to help organize vendors in the Black Kite platform.

With these possible risks and ongoing data breaches, our customers must constantly monitor this situation.

Black Kite allows you to recognize these risks in advance in order to mitigate them. So how does Black Kite do that? The platform scans all sites that may affect our customers and separates them according to whether the code is used or not. The Facebook/ Meta Pixel tag is added next to the names of the companies that use it.

In addition, when you click on this tag, you can reach the necessary details.

Since not all vendors will be affected, you can use the platform’s filtering functionality to narrow down which vendors have been tagged:

  • Go to Ecosystems > Company List, and click on Filter
  • Select the ‘Tags’ field in the pop-up window
  • Select Facebook/ Meta Pixel tag
  • Click ‘Filter’