Alex - stock.adobe.com
Atrium Health notifies 586K of past tracking tech use
Atrium Health reported a healthcare data breach to OCR after discovering that it had used online tracking tech within its patient portal between 2015 and 2019.
Atrium Health notified nearly 586,000 individuals of a data breach stemming from its past use of online tracking tech within its patient portal. Atrium said that it first conducted a review of its online technologies in June 2022, when the prevalence of healthcare organizations using third-party tracking tech on their websites first came to light.
However, Atrium's review at the time only focused on its current use of those technologies. In 2024, Atrium expanded its scope and conducted a review of the use of tracking technologies from January 2015 to present. Atrium determined that these technologies were used on certain portions of the Patient Portal from January 2015 until July 2019.
"These commonly used internet technologies were utilized to help operate certain features of our Patient Portal and enhance the online experience for users," Atrium said.
"We have learned that, during this time frame, these technologies may have transmitted certain personal information to third-party vendors, such as Google and Facebook (now Meta)."
Atrium said that it was not possible to determine exactly what data was transmitted to third parties. As a result, Atrium sent breach notifications to all MyAtriumHealth (formerly MyCarolinas) patient portal users who used the portals during the period in question.
Users might be affected in different ways depending on their choice of web browser, use of cookies, the configuration of their browsers and whether they had accounts with third-party vendors, such as Meta.
The information that was potentially transmitted to third parties included IP addresses, cookies and information about providers or treatment. Atrium said it had no evidence that any of the information had been misused in any way.
This incident is unrelated to a data breach that Atrium Health reported in September 2024 surrounding a phishing scheme.
Massachusetts hospital reports data security incident
Anna Jaques Hospital, a 119-bed community hospital in Massachusetts, notified approximately 316,000 individuals of a data security incident that occurred around December 25, 2023. Anna Jaques said that when it discovered that certain systems had been affected by the incident, it immediately secured its environment and conducted a thorough investigation.
Anna Jaques posted a notice on its website in January 2024 as it continued to conduct its investigation. On November 4, 2024, after a forensic investigation and manual document review, the hospital determined that certain files were accessed by an unauthorized party.
The affected information potentially included demographic information, medical and health insurance information, Social Security numbers, driver's license numbers and financial information.
"Anna Jaques has no indication that there has been any fraud as a result of this incident," the notice stated.
The organization encouraged employees and patients to remain vigilant and monitor accounts and explanations of benefits statements for any fraudulent activity.
Colonial Behavioral Health suffers data breach
Virginia-based Colonial Behavioral Health (CBH) notified nearly 30,000 individuals of a data breach. CBH experienced issues with its computer systems in October 2024 and determined that a ransomware attack had occurred. CBH said it was able to care for patients amid the system disruptions.
Further investigation revealed that an unauthorized user logged into CBH systems in May 2024 and remained undetected until October 4, 2024, when they encrypted CBH's IT systems.
The unauthorized user potentially accessed and obtained information during their time in the system, including demographic, clinical and claims information. CBH said it notified state and federal law enforcement, including the Cybersecurity and Infrastructure Security Agency and the FBI.
CBH notified affected individuals of the breach and offered complimentary credit monitoring to those affected.
Jill McKeon has covered healthcare cybersecurity and privacy news since 2021.
