Getty Images

UC San Diego Health Discloses Healthcare Data Breach Stemming From Vendor Pixel Use

UC San Diego Health disclosed a healthcare data breach tied to a technology vendor, Solv Health, which used analytics tools without the health system’s authorization.

UC San Diego Health notified patients of a healthcare data breach that occurred when its technology vendor, Solv Health, used analytics tools without the health system’s permission. Solv Health previously managed and hosted UC San Diego Health’s scheduling websites for its Express Care and Urgent Care locations.

Patients who used the scheduling site between September 13 and December 22, 2022, to book appointments for in-person or virtual visits may have been subject to unauthorized data access, as the analytics tool potentially captured and transmitted information to Solv Health’s third-party service providers.

The information involved in the breach may have included names, dates of birth, IP addresses, email addresses, third-party cookies, reason for visit, and insurance type.

“It is important to note that these analytics tools never collected Social Security numbers, medical record numbers, financial account numbers, or debit/credit card information,” UC San Diego Health stated.

“The scheduling websites were not part of UC San Diego Health’s electronic health records systems, MyUCSDChart, and no information within MyUCSDChart was impacted by Solv Health’s use of analytics tools.”

After discovering the incident, UC San Diego Health worked with Solv Health to identify impacted individuals and directed the company to remove analytics tools from the scheduling sites immediately. The health system has since transitioned to a new online scheduling tool and enhanced its vendor assessment procedures.

DC Health Link Confirms Data Breach Impact

As previously reported, House leadership raised concerns in early March about a cyberattack on health insurance marketplace DC Health Link that potentially exposed Member and House staff data.

House Speaker Kevin McCarthy and Minority Leader Hakeem Jeffries issued a statement on March 8, in which they noted that the Federal Bureau of Investigation (FBI) had informed them of the purchase of personal identifiable information (PII), along with other enrollee information, on the dark web.

DC Health Link confirmed the breach, noting that it impacted 54,415 customers in total.

“As a result of our investigation, DC Health Link has identified two distinct groups – (Group 1) individuals we know were impacted by the data breach because their information was taken and posted publicly and (Group 2) individuals whose information we now know was stored in the same manner as the first group but we do not have actual evidence that information for Group 2 was compromised,” DC Health Link said in a March 14 update.

DC Health Link said that “the issue which  led to this data breach has been identified and eliminated.” The health insurance marketplace has been working with Mandiant to conduct a comprehensive review of is security measures, the notice stated.

OU Health Discloses Breach Tied to Stolen Laptop

OU Health in Oklahoma notified individuals of a healthcare data breach that occurred on December 26, 2022, when an employee laptop was stolen. The employee’s OU Health emails were on the laptop and contained protected health information (PHI).

The laptop contained names, Social Security numbers, medical record numbers, account numbers, driver’s license numbers, dates of service, dates of birth, treatment information, and health insurance information.

“OU Health was not able to provide confirmation that the stolen laptop was not compromised, therefore out of an abundance of caution, OU Health notified individuals whose information was potentially involved,” OU Health stated.

OU Health began notifying impacted individuals of the breach on March 17.

Next Steps

Dig Deeper on Healthcare data breaches