Community Health Network in Indiana is the most recent healthcare company to announce the impermissible disclosure of protected health information (PHI) of patients to Google and Meta/Facebook as a result of adding their tracking code on its web pages. Based on the breach report sent to the HHS’ Office for Civil Rights, the PHI of around 1.5 million individuals had been potentially impermissibly disclosed.
Just like a lot of other healthcare companies, Community Health Network put third-party tracking codes to its web pages to identify the movement of users as they clicked through its web pages. Community Health Network stated the code was used to enhance access to data regarding critical patient care services and deal with key features of its patient-facing websites.
The code accumulated certain data concerning website users’ interactions when they visited its web pages. After knowing the issues concerning the usage of this code by healthcare companies, Community Health Network started an internal investigation to find out if sensitive individually identifiable data was transmitted to third parties. The forensic investigation conducted a very thorough assessment of all third-party tracking codes on its web pages and web programs.
Community Health Network explained in its substitute breach notice that the code was put in different areas of the website, such as the appointment booking pages and the MyChart patient site. Upon knowing about the problem, certain technologies were disabled and/or removed from the websites and programs while conducting the internal investigation to better understand the nature of the data collected and transmitted by these technologies. Additional investigation showed on September 22, 2022, that the settings of the code had accidentally permitted a wider selection of data to be gathered and transmitted to third-party tracking technology vendors like Facebook and Google, which was not intended by Community Health Network.
The types of data sent differed from person to person according to their interactions on the web pages and could have involved computer IP address, times, dates, and/or locations of booked consultations, details about a patient’s health care company, type of consultation or procedure booked, and communications that were made via the MyChart site, which could have included first and last names, medical record numbers, if a person got insurance, and, whether a person got a proxy MyChart account, the proxy name.
Community Health Network stated it has deleted the third-party tracking code and has enforced better analysis and management procedures for all website technologies. It also decided to send notification letters to all persons who consulted with a Community provider or associated entity on or from April 6, 2017, which was the date of adding the tracking code to the websites.
Other healthcare providers were likewise impacted by putting Meta Pixel and other third-party tracking codes on their web pages. These are WakeMed Health and Hospitals, Advocate Aurora Health, Novant Health, UCSF Medical Center, Medstar Health System, Northwestern Memorial Hospital, and Dignity Health Medical Foundation.