Alex - stock.adobe.com
Specialty Care Clinic Reports Potential PHI Exposure Caused by Tracking Pixels
The use of Google and Meta tracking pixels by partner company Advocate Aurora Health led to potential PHI disclosure for BayCare Clinic patients.
BayCare Clinic began notifying 134,000 patients of a data breach that potentially exposed protected health information (PHI) stemming from tracking pixels.
The specialty care clinic explained that the breach was tied to partner Advocate Aurora Health’s use of third-party tracking technologies from companies like Facebook and Google.
Tracking pixels are commonly used tools for targeted marketing and tracking visitor activity.
In this case, Advocate Aurora leveraged “the services of several third-party vendors to measure and evaluate information concerning the trends and preferences of patients as they use Advocate Aurora-supported websites and application.”
“These technologies disclose certain details about interactions with such websites, particularly for users that are concurrently logged into their Google or Facebook accounts and have shared their identity and other surfing habits with these companies, the notice explained.
According to the notice, BayCare Clinic’s patient portal provided through Advocate Aurora released patient information to third-party analytics vendors via tracking pixels.
Advocate Aurora Health disabled the pixels and launched an internal investigation in order to “better understand what patient information was transmitted to our vendors.”
The impacted information potentially included IP addresses, dates, times, or locations of scheduled appointments, proximity to a practice location, information about providers, and other PHI that may have been within the patient portal.
“You can protect yourself from online tracking by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as incognito mode. You can also adjust your privacy settings in Facebook and Google,” BayCare Clinic noted.
“These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident.”
MindPath Health Faces Employee Email Breach
On December 30, 2022, MindPath Heath informed 193,947 patients of an employee email breach that led to potential PHI exposure.
The outpatient behavioral health service organization detected unusual email activity during a routine security audit.
Upon discovery, Mindpath Health secured its email environment and hired experts to investigate suspicious activity within the environment.
“During the investigation, our third-party forensic firm discovered that two employee email accounts had experienced unauthorized access: one in March 2022 and the second in June 2022, the report stated. “On November 15, 2022, following a thorough investigation, it was discovered that a limited amount of protected health information may have been accessed by an unauthorized third party in connection with this incident.”
Additionally, the investigation suggests that impacted information included patient names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
“At this time, Mindpath Health is not aware of any evidence to suggest that any information has been, or will be, misused,” the report stated. “However, Mindpath Health was unable to rule out the possibility that the information could have been accessed. Therefore, in an abundance of caution, Mindpath Health is notifying potentially impacted individuals of this incident.”
DCH Health System Discloses Data Security Event, Over 2K Impacted
DCH Health System informed 2,530 patients of a data security incident that occurred in early December.
The healthcare system discovered the security incident on December 9, 2022, and later determined that an employee inappropriately patient EHR records between September 2021 and December 9, 2022.
DCH Health System immediately suspended the employee, and they were shortly terminated. Later, the healthcare system engaged a data breach recovery expert learning that the information viewed by the employee included names, addresses, date of birth, social security numbers, date of encounter, diagnoses, vital signs, medications, test results, and provider notes.
“All affected patients have been notified by mail about this incident,” the press release stated. “DCH Health System has no reason to believe that the information was or will be further used or disclosed; however, out of an abundance of caution, free identity theft protection services, including credit monitoring, were offered to all patients whose insurance group and subscriber/policy numbers may have been involved.”
“DCH continues to provide ongoing mandatory HIPAA/privacy training to its workforce members regarding appropriate access, use, and disclosure of protected health information,” the organization confirmed. “DCH will also use this incident to improve our privacy monitoring tools and processes.”