Case Study

Large University Hospital System Engages FTI Technology to Provide Technical Investigation and Analysis Related to Alleged AdTech Privacy Violations

  • LinkedIn icon
  • X/Twitter icon
  • PDF icon

A network of university-affiliated health care providers was named in numerous complaints and legal actions relating to improper handling of patients’ personal health information and other personally identifiable information. The complaints surrounded the system’s use of advertising and pixel trackers on its websites, which were believed to be illegally collecting personal information and transferring it to third parties. The organization engaged FTI Technology’s adtech privacy experts to provide technical scoping, data collection, and analysis of how the advertising trackers were being used on its sites.

Situation

Advertising and website pixel trackers are often embedded into the backend of websites to track, and send to third parties, a wide range of information, which may include personally identifiable information and personal health information. Litigators and regulatory agencies are increasingly pursuing action against companies for misuse of these trackers and for personal data protection violations that can result. In this matter, website activity and personal information held across dozens of university campuses and affiliated hospitals needed to be collected and analyzed to understand the scope and scale of potential data privacy violations.

FTI Technology reviewed approximately 7,000 total websites, all requiring either reactive collection and analysis in response to existing complaints or proactive analysis and mitigation in anticipation of additional litigation. Only weeks into the engagement, new lawsuits were filed, requiring the team to quickly pivot from proactive compliance assessments to litigation response for websites pertaining to numerous affiliates across the client’s network. During the course of the review, more than half of the affiliate campuses and hospitals received complaints, lawsuits or settlement demands that required further investigation and response relating to website advertising trackers.

Our Role

Experts within FTI Technology’s Information Governance, Privacy & Security practice have supported clients on more than 100 remediations, litigations and high-profile Federal Trade Commission actions dealing with the use of advertising tracking. The team has firsthand experience deploying, developing and analyzing a wide range of pixel and ad tracking tools and is familiar with their technical nuances. With proprietary tools to automate workflow, and standardized processes for handling proactive and reactive matters involving adtech privacy issues, the team can scale to the demands of any investigation. In this expansive matter, FTI Technology provided thorough scanning, collection and analysis of the system’s clinical and marketing web assets and mobile apps. Additionally, the team:

  • Defined the scope of domains, sites, mobile platforms and trackers that would need to be analyzed for the case.
  • Implemented FTI Technology’s proprietary platform to quickly collect the data from the scoping exercise, categorize the data elements transmitted and document the entities receiving data.
  • Identified the highest risk advertising trackers and activities and conducted a thorough compliance review to help the client understand its complex landscape and exposures.
  • Advised the client on how to remediate exposures without disrupting website functionality or impeding the legitimate business functions supported by ad trackers.
  • Expert-led services and advisory for legal counsel to help them prepare for legal filings and technical memoranda relating to lawsuits and formal complaints.
  • Detailed reporting to provide counsel with documentation needed for litigation and regulatory response.
  • Supported compliance counsel with breach response analysis and notice drafting, as the analysis uncovered a data breach pursuant to HIPAA and other public health regulations.

Our Impact

  • FTI Technology concurrently provided proactive compliance assessment for dozens of unique entities within the hospital system across more than 7,000 websites, and delivered reactive litigation response for impacted affiliates within the network.
  • Delivered analysis and expert reporting to respond to litigation and prepare for additional anticipated filings.
  • Advised and provided remedial actions to help the client reduce risk, establish compliance with privacy requirements, while upholding important website functionality.
  • Ongoing engagement with the client to support strategic and technical efforts to redesign the organization’s digital marketing capabilities with a privacy-forward strategy.
Related topics:
Data Privacy

Related Solutions