Getty Images/iStockphoto

Community Health Network Notifies 1.5M of Data Breach Stemming From Tracking Tech

The health system used third-party tracking technologies to track user trends, but later discovered that the tools were collecting more information than the health system “had ever intended.”

Indiana-based integrated healthcare system Community Health Network notified 1.5 million individuals of a data breach stemming from the use of third-party tracking technologies from companies like Facebook and Google.

As previously reported, Meta (Facebook’s parent company) is facing scrutiny over the use of tracking pixels on hospital websites and even inside password-protected patent portals. Tracking pixels are typically used for tracking visitor activity and trends and for targeted marketing.

In the case of Community Health Network, the health system said it used the tracking tech to “better understand how patients and other users interacted with our website.”

“Upon learning of concerns about the use of third-party tracking technologies by healthcare organizations, Community initiated an internal investigation that included engaging a third-party forensic firm to perform a detailed technical evaluation of the technologies implemented on our websites and applications,” the notice explained.

After learning that the third-party tech was installed on its patient portal and some appointment scheduling sites, Community Health Network began disabling and removing certain technologies from its websites and applications.

“On September 22, 2022, we discovered through our investigation that the configuration of certain technologies allowed for a broader scope of information to be collected and transmitted to each corresponding third-party tracking technology vendor (e.g., Facebook and Google) than Community had ever intended,” the notice continued.

The type of information potentially transmitted varied depending on the user’s activity and each device’s configuration. Community Health Network’s investigation was unable to say with certainty what information was involved or to what extent each user interacted with the data fields.

However, the information could have included IP addresses, locations and times of scheduled appointments, MyChart communications, and more.

Kaiser Permanente Notifies 8.5K of Breach

Kaiser Foundation Health Plan of the Mid-Atlantic States notified 8,556 individuals of improper access to their health information.

In September 2022, Kaiser Permanente determined that an employee had inappropriately accessed medical records without a legitimate reason for doing so.

The employee viewed a variety of information, including names, medical record numbers, phone numbers, birth dates, addresses, medical information, and photographs.

Kaiser Permanente said that there has been no evidence of fraud or misuse of the information, and the individual responsible is no longer employed by Kaiser Permanente.

“We are also reviewing our policies and procedures governing access to patients’ medical records to determine whether additional safeguards are needed to prevent future incidents,” the notice explained.

Wright & Filippis Suffers Ransomware Attack

Wright & Filippis, a provider of prosthetics, orthotics, and accessibility solutions, notified 877,584 individuals of a ransomware attack that it suffered in January 2022.

Although Wright & Filippis’ endpoint security identified and stopped the ransomware shortly after it was executed in January, the company discovered in May that the attack may have impacted protected health information (PHI).

Wright & Filippis’ HR and electronic medical records systems were not affected. However, the breach may have involved the names, birth dates, financial account numbers, Social Security numbers, and health insurance information of current and former patients, along with the names, driver’s license numbers, Social Security numbers, birth dates, and limited financial information of former employees or job applicants.

“Wright & Filippis endeavors to protect the privacy and security of sensitive information. We have worked diligently to determine how this incident happened and are taking appropriate measures to prevent a similar situation in the future,” the notice stated.

“Since the Incident we have implemented a series of cybersecurity enhancements, including installation of additional endpoint detection and response software, resetting all passwords, and rebuilding affected servers.”

Next Steps

Dig Deeper on Healthcare data breaches