Alcohol Recovery Startup Suffers Healthcare Data Breach, 108K Impacted

Alcohol recovery startup Monument disclosed a healthcare data breach tied to its use of tracking pixels.

Alcohol recovery startup Monument disclosed a healthcare data breach to HHS that impacted 108,584 individuals. According to a report from The Verge, Monument, which acquired fellow online alcohol recovery service Tempest in 2022, inadvertently exposed patient data due to the use of tracking tools.

The tools used on both Tempest and Monument potentially shared names, email addresses, phone numbers, birthdates, home addresses, insurance information, IP addresses, photographs, assessment and survey responses, and health information with third parties.

“Monument owns and operates both the Monument and Tempest websites, to which you have visited or on which you created an account. These websites, like many others, used technologies known commonly as ‘pixels’ or other similar technologies known as ‘tracking technologies.’ Common examples of tracking technologies are those made available by Meta (Facebook), Google, Bing, Pinterest, as well as other third parties,” Monument explained.

“In late 2022, the federal government issued guidance on the uses of those online tracking technologies and Monument promptly undertook an internal review to determine whether and how we should change our practices to better protect member privacy.”

The incident impacted Monument customers from January 2020 on, and Tempest customers beginning November 2017. The company stopped using tracking technologies by February 23, 2023. The information exposed for each customer varied based on when they visited Monument’s sites, how web browsers were configured, and other factors.

CA Community Health Center Discloses Breach

La Clínica de La Raza, a community health center in California, disclosed a healthcare data breach that impacted 15,316 individuals. La Clínica discovered suspicious activity within its email environment on February 8, 2023.

La Clínica immediately secured its email accounts and launched an investigation. The community health center later determined that the email accounts were subject to unauthorized access at various times between January 24 and February 3.

The email accounts contained patient names, addresses, financial account information, dates of birth, Social Security numbers, medical treatment information, health insurance information, and online credentials.

La Clínica is still reviewing the compromised accounts and has started notifying impacted individuals of the breach.

UHS of Delaware Impacted by Adelanto HealthCare Ventures Breach

UHS of Delaware notified 40,290 individuals of a third-party data breach stemming from Adelanto HealthCare Ventures (AHCV). As previously reported, nine other healthcare organizations have reported breaches tied to AHCV, a consulting company that specializes in Medicaid reimbursements.

AHCV suffered a phishing attack in November 2021. AHCV initially believed that no protected health information (PHI) was impacted. However, on August 19, 2022, the company determined that PHI may have been involved. 

“Our Organization has confirmed that AHCV is expanding its security measures in light of the incident and assessing additional training and security reminders to its employees,” UHS of Delaware stated.

“Our business associate has counseled its own employees on the incident and best practices, and is determining whether additional steps are needed.”

Next Steps

Dig Deeper on Healthcare data breaches