Getty Images

UCHealth, UCLA Health Report Healthcare Data Breaches

The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.

UCHealth and UCLA Health were the latest entities to report recent healthcare data breaches, both tied to third-party vendors. 

UCHealth Suffers Third-Party Data Breach

UCHealth in Aurora, Colorado reported a third-party data breach to HHS that impacted 48,879 individuals. According to its notice to patients, UCHealth was recently informed by software company Diligent that some patient, provider, and employee data may have been involved in a security incident.

“Diligent provides hosted services to UCHealth and reported to UCHealth that Diligent’s software was accessed and attachments were downloaded including UCHealth files,” the notice stated.

“Importantly, UCHealth’s systems, including its email and electronic medical record, were not impacted by this incident.”

The information potentially downloaded by the cybercriminal may have included names, addresses, treatment-related information, and dates of birth, as well as Social Security numbers and financial information in some cases.

UCHealth said it had “no reason to believe the data taken from Diligent’s system went beyond the cybercriminal or was misused in any way” but encouraged impacted individuals to watch for suspicious activity.

UCLA Health Breach Impacts 94K

UCLA Health notified 94,000 individuals of a recent healthcare data breach stemming from its use of analytics tools, such as tracking pixels. As previously reported, many hospitals are facing backlash for their use of tracking tools created by companies like Meta and Google. Meta itself is facing multiple lawsuits over the use of tracking pixels on hospital websites.

UCLA Health did not mention Meta specifically, but noted that the use of analytics tools on an appointment request form completed on its website or mobile app may have “captured and transmitted to our third-party service providers certain limited information.”

The health system began using analytics tools on its public website and mobile app in April 2020 with the goal of understanding how its community interacted with them.

“Analytics tools allow organizations to review website and app activity in the aggregate to develop more effective and efficient communication,” the organization stated.

“When in June 2022 UCLA Health learned of concerns relating to the use of these analytics tools by health-care providers, we disabled them.”

The appointment request forms containing analytics tools potentially captured information on third-party cookies, provider names and specialties, and hashed value form fields that included names, email addresses, phone numbers, mailing addresses, and gender.

“It is important to note that these analytics tools never captured Social Security numbers, financial account numbers, or debit/credit card information,” the notice continued.

“Moreover, Appointment Request Forms that were impacted were only present on the UCLA Health website and the UCLA Health mobile app. UCLA Health did not place these analytics tools within myUCLAhealth, the online patient portal.”

Next Steps

Dig Deeper on Cybersecurity strategies