Governance & Risk Management , HIPAA/HITECH , Privacy
Online Alcohol Counselor: Web Tracker Breach Affects 109,000NY-Based Monument Inc. Says Privacy Incident Affected Members Dating Back to 2017
An online alcohol abuse counseling service is notifying about 109,000 clients of a data breach involving the company's prior use of tracking tools on its websites dating back to 2017. The breach affects members of Monument Inc. and Tempest, a counseling service acquired last year.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
New York-based Monument Inc., which offers personalized online alcohol treatment, said it recently stopped using website tracking tools from companies including Google, Facebook, Pinterest and Bing after an internal review of its practices, according to a sample breach notification letter provided to the California attorney general on March 31.
Monument says it conducted the review following guidance issued by federal regulators in December 2022 regarding privacy concerns involving the use of tracking technologies. The company's review found that on Feb. 6 "some" information may have been shared with third-party providers of the tracking tools "without appropriate authorization, consent or agreements required by law."
Monument "is committed to only sharing information in a manner that complies with HIPAA and other applicable laws," the letter said. The Department of Health and Human Services' HIPAA Breach Reporting Tool website shows that Monument reported the incident on March 31 as an unauthorized access/disclosure involving a network server.
"Protecting our patients' privacy is a top priority," Monument CEO Michael Russell said in a statement provided to Information Security Media Group. "We have put robust safeguards in place and will continue to adopt appropriate measures to keep data safe. In addition, we have ended our relationship with third-party advertisers that will not agree to comply with our contractual requirements and applicable law."
Information affected by the tracking incident includes names, birthdates, email addresses, telephone numbers, addresses, Monument IDs, insurance member IDs, IP addresses, unique digital IDs, uniform resource locators, photographs, selected services or plans, assessment or survey responses, appointment-related information and associated health information.
Monument says its internal review found that the tracking activity started in January 2020 - and in November 2017 for members of Tempest, which was acquired in May 2022.
Monument is the latest entity on a growing list of organizations reporting data breaches involving their previous use of web tracking tools on health-related websites. Some of the other entities also provide services that handle particularly sensitive health information.
Among the largest such incidents was a breach affecting nearly 3.2 million individuals reported on March 1 by San Francisco-based online mental health services provider Cerebral. The company used website tracking tools from 2019 until recently to share sensitive patient information with third parties including Facebook, Google and TikTok without the individuals' consent.
The Monument incident "is certainly another instance in which it is clear that healthcare entities must review any marketing technologies implemented on their websites," said privacy attorney Cory Brennan of the law firm Taft.
"I have no doubt that we'll continue to see this number grow," she said. "It is absolutely crucial that we start to bridge that gap and bring marketing and compliance leaders together to assess the risk an organization is facing related to the use of these third-party tracking technologies."
A key takeaway from the recent rash of web tracking breaches is that if any component of a regulated entity's website is established to entice or procure individual interaction or engagement - and that same website has any third-party tracking technologies present - the organization should determine exactly what information is collected and transmitted through those third-party tracking technologies as soon as possible, she said.
"All electronic protected health information created, received, maintained or transmitted by a covered entity is subject to the HIPAA Security Rule," she said. If an entity regulated by HIPAA is not including its web environment and the technologies used within that environment in the scope of its standard HIPAA compliance practices, "this is a huge gap and will continue to create risks for the organization."