Governance & Risk Management , HIPAA/HITECH , Legislation & Litigation

Indiana Health Entity Reports Breach Involving Tracking Code

5 Million People Are Affected by This Breach and 2 Similar Incidents
Indiana Health Entity Reports Breach Involving Tracking Code

An Indiana healthcare network is the latest medical entity to classify its use of online tracking code as a data breach reportable to federal regulators.

See Also: Panel | Encryption is on the Rise! Learn How to Balance Security with User Privacy and Compliance

Community Health Network on Nov. 18 reported to the U.S. Department of Health and Human Services an unauthorized access/disclosure breach affecting 1.5 million individuals involving the use of website tracking code.

The nonprofit health system, which has more than 200 sites and affiliates throughout Central Indiana, says in a breach notification statement that it recently learned some of the third-party tracking technologies installed on its websites - including from Facebook and Google - transmitted certain patient information to the tracking technology vendors.

From August to November, Community Health Network disabled and/or removed the "problematic technologies" from its website platforms and began an investigation to better understand the nature and extent of patient information that was transmitted, the statement says.

Its breach report comes on the heels of at least two other healthcare entities making reports of similar incidents in October to HHS' Office for Civil Rights.

They include Midwest-based Advocate Aurora Health reporting a breach affecting 3 million individuals and North Carolina-based WakeMed Health and Hospitals reporting an incident affecting 500,000 individuals.

A recent study by data privacy firm Lokker found that more than 2,500 U.S. hospitals and healthcare provider websites and patient portals use online activity tracking tools.

Any individual who visited the Community Health Network patient portal or scheduled an appointment on the eCommunity.com website since April 6, 2017 - the date the entity began using the tracking technologies - may have had personal information swept up by trackers. The health system claims it can't say for certain who is affected.

If patients adjusted the settings on their devices to block or delete cookies or if they used only browsers that support certain privacy-protecting operations, their information likely was not affected, even if they accessed MyChart or the eCommunity.com website.

Community Health Network did not immediately respond to Information Security Media Group's request for comment on the breach.

Pressure Mounts on Facebook Over Pixel

Facebook parent company Meta faces a consolidated putative federal class action lawsuit involving the use of its Pixel code in healthcare websites and patient portals. The lawsuit alleges that Pixel collects health data of patients who visit the websites without the individuals' knowledge or consent in violation of HIPAA (see: Federal Judge Skeptical of Facebook in Patient Privacy Suit).

A San Francisco federal judge on Nov. 21 allowed two hospital system co-defendants - UCSF Medical Center and Dignity Health Medical Foundation - to fight the litigation separately from Facebook. Dignity Health told the judge it intends to compel arbitration rather than continue in court.

Federal lawmakers have also intensified their scrutiny over the use of website tracking technology involving health and location data.

In October, Sen. Mark Warner, D-Virginia, wrote to Meta CEO Mark Zuckerberg expressing concern over Pixel's ability to obtain data including medical conditions, appointment dates and treating physician names.

Sen. Elizabeth Warren, D-Mass., introduced in June the Health and Location Data Protection Act of 2022, which seeks a ban on data brokers from selling or transferring sensitive health and location data (see: Bill Would Ban Brokers From Selling Health, Location Data).


About the Author

Marianne Kolbasuk McGee

Marianne Kolbasuk McGee

Executive Editor, HealthcareInfoSecurity, ISMG

McGee is executive editor of Information Security Media Group's HealthcareInfoSecurity.com media site. She has about 30 years of IT journalism experience, with a focus on healthcare information technology issues for more than 15 years. Before joining ISMG in 2012, she was a reporter at InformationWeek magazine and news site and played a lead role in the launch of InformationWeek's healthcare IT media site.




Around the Network

Our website uses cookies. Cookies enable us to provide the best experience possible and help us understand how visitors use our website. By browsing inforisktoday.asia, you agree to our use of cookies.