Community Health Network reports online tracking data breach affecting 1.5 million
Photo: Community Health Network
Community Health Network said it discovered on September 22 that the configuration of certain pixels on its digital properties allowed for a broader scope of patient information collection and transfer to third-party vendors, such as Meta and Google, than it realized.
WHY IT MATTERS
Companies that provide online tracking tools have been accused in class-action lawsuits of allegedly targeting ads to people based on information regarding their health that was collected through healthcare system websites and patient portals.
Community announced November 16 on its website that it launched an investigation into its own data-tracking practices and hired a third-party forensic team.
"That investigation confirmed that third-party tracking technologies were installed on Community's website, including the MyChart patient portal and on some of our appointment scheduling sites," the health network said in the statement.
"When we learned of this, we immediately began working with our service providers to disable and/or remove certain technologies from our websites and applications as we continued our internal investigation in hopes of better understanding the nature of the information that these technologies were collecting and transmitting."
Community also said that the investigation has not found evidence that misuse or fraud has occurred as a result of the breach, and it "cannot say with certainty what information was involved."
The data could be computer IP address; dates, times and/or locations of scheduled appointments; information about an individual's healthcare provider; type of appointment or procedure scheduled; communications through MyChart – which may have included first and last name and medical record number; information about whether an individual had insurance and if an individual had a proxy MyChart account, and the name of the proxy.
"We have no indication that any Social Security numbers, financial account numbers or debit/credit card information was collected by or transmitted through the third-party tracking technologies at any time," Community said.
THE LARGER TREND
This past week, the U.S. Department of Health and Human Services issued guidance on the use of online tracking tools in healthcare.
It comes after months of confusion and class-action lawsuits as health systems manage a new front for patient privacy and security. Community Health Network joins a number of healthcare providers that are discovering they were unaware of how, when and what patient data was being transmitted for third-party marketing efforts.
Pixel technology uses a Java tracking script to send an organization's data to the technology owner, which could be shared with network marketing partners who target individuals with relevant offers and advertisements.
Because patient data cannot be shared under HIPAA, consumer data mining practices – which are generally criticized for lacking transparency – have long elicited medical privacy concerns.
A class-action lawsuit filed in June against Meta Platforms, owned by Facebook, alleges the social media giant knowingly received patient data from at least 664 hospitals or medical providers and monetized the information for targeted advertising.
"This unlawful collection of data is done without the knowledge or authorization of the patient, like plaintiffs, in violation of federal and state laws as well as Facebook's own contract with its users," the court document said.
"When a patient communicates with a healthcare provider's website where the Facebook Pixel is present on the patient portal login page, the Facebook Pixel source code causes the exact content of the patient's communication with their healthcare provider to be redirected to Facebook in a fashion that identifies them as a patient."
In October, for instance, Advocate Aurora Health sent letters informing 3 million patients in Illinois and Wisconsin about a potential data breach involving tracking pixels. In August, Novant Health announced it had let 1.3 million of its patients know about its third-party data breach.
The recent lawsuits suggest potential liability for failing to provide patient privacy protections that healthcare organizations are obligated to uphold under the law.
Andrew Mahler, a former investigator with HHS Office for Civil Rights and now VP of privacy and compliance at CynergisTek, stressed the importance of healthcare organizations performing thorough risk analyses, providing proper training and education and seeking independent third-party review of policies, processes and systems.
"What makes this situation especially complex and troubling is that the healthcare organizations themselves may not have been aware that the Meta Pixel tool had been embedded in its website and/or that it was tracking, comparing and receiving data about patients, including [protected health information]," he told Healthcare IT News earlier this month when asked about privacy challenges and best practices where websites track users' online behaviors.
ON THE RECORD
"Community used the applicable third-party tracking technologies from April 6, 2017, until most of them were disabled and/or removed from August to November 2022 as our investigation progressed," the health provider said in a separate FAQ on its website.
Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org
Healthcare IT News is a HIMSS publication.