Governance & Risk Management , HIPAA/HITECH , Privacy
Indiana Health Entity Reports Breach Involving Tracking Code
5 Million People Are Affected by This Breach and 2 Similar IncidentsAn Indiana healthcare network is the latest medical entity to classify its use of online tracking code as a data breach reportable to federal regulators.
See Also: Using the Netskope HIPAA Mapping Guide
Community Health Network on Nov. 18 reported to the U.S. Department of Health and Human Services an unauthorized access/disclosure breach affecting 1.5 million individuals involving the use of website tracking code.
The nonprofit health system, which has more than 200 sites and affiliates throughout Central Indiana, says in a breach notification statement that it recently learned some of the third-party tracking technologies installed on its websites - including from Facebook and Google - transmitted certain patient information to the tracking technology vendors.
From August to November, Community Health Network disabled and/or removed the "problematic technologies" from its website platforms and began an investigation to better understand the nature and extent of patient information that was transmitted, the statement says.
Its breach report comes on the heels of at least two other healthcare entities making reports of similar incidents in October to HHS' Office for Civil Rights.
They include Midwest-based Advocate Aurora Health reporting a breach affecting 3 million individuals and North Carolina-based WakeMed Health and Hospitals reporting an incident affecting 500,000 individuals.
A recent study by data privacy firm Lokker found that more than 2,500 U.S. hospitals and healthcare provider websites and patient portals use online activity tracking tools.
Any individual who visited the Community Health Network patient portal or scheduled an appointment on the eCommunity.com website since April 6, 2017 - the date the entity began using the tracking technologies - may have had personal information swept up by trackers. The health system claims it can't say for certain who is affected.
If patients adjusted the settings on their devices to block or delete cookies or if they used only browsers that support certain privacy-protecting operations, their information likely was not affected, even if they accessed MyChart or the eCommunity.com website.
Community Health Network did not immediately respond to Information Security Media Group's request for comment on the breach.
Pressure Mounts on Facebook Over Pixel
Facebook parent company Meta faces a consolidated putative federal class action lawsuit involving the use of its Pixel code in healthcare websites and patient portals. The lawsuit alleges that Pixel collects health data of patients who visit the websites without the individuals' knowledge or consent in violation of HIPAA (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).
A San Francisco federal judge on Nov. 21 allowed two hospital system co-defendants - UCSF Medical Center and Dignity Health Medical Foundation - to fight the litigation separately from Facebook. Dignity Health told the judge it intends to compel arbitration rather than continue in court.
Federal lawmakers have also intensified their scrutiny over the use of website tracking technology involving health and location data.
In October, Sen. Mark Warner, D-Virginia, wrote to Meta CEO Mark Zuckerberg expressing concern over Pixel's ability to obtain data including medical conditions, appointment dates and treating physician names.
Sen. Elizabeth Warren, D-Mass., introduced in June the Health and Location Data Protection Act of 2022, which seeks a ban on data brokers from selling or transferring sensitive health and location data (see: Bill Would Ban Brokers From Selling Health, Location Data).