3 More Healthcare Entities Report Website Tracking BreachesEntities Include NY Hospital, California Urgent Care Clinics, Florida Rehab Center
Three healthcare organizations joined the list of entities treating past use of tracking technologies in patient websites as a data breach reportable to federal authorities.
The latest medical entities admitting web tracker usage incidents are New York-Presbyterian Hospital, UC San Diego Health and Brooks Rehabilitation.
The disclosures come as a growing number of hospitals scrutinize their patient portals and other websites for the presence of web tracking technology offered by firms such as Facebook and Google. Regulators warned healthcare entities in December that trackers in patient websites may violate privacy law (see: HHS: Web Trackers in Patient Portals Violate HIPAA).
Some healthcare sector entities responded by reporting data breaches involving trackers affecting millions of patients, including a breach affecting nearly 3.2 million individuals reported on March 1 by San Francisco-based online mental health services provider Cerebral. The company used website tracking tools from 2019 until recently to share sensitive patient information with third parties including Facebook, Google and TikTok without the individuals' consent.
Some patients have in turn filed proposed class action lawsuits asserting that the trackers wrongly put sensitive health information in the hands of big tech companies.
"Companies want to know exactly what's happening on their websites," said Ian Cohen, CEO of privacy compliance firm Lokker. A 2022 study by the company found web trackers implanted into nearly half of the 5,400 hospital and other medical websites it scanned.
"We all use a lot of tools to operate our sites. So this can be very difficult for companies to manage, and I think there's a lot of uncertainty around their use," he told Information Security Media Group.
New York Presbyterian Breach
New York Presbyterian says its use of trackers affected nearly 54,400 individuals. The hospital said in a March 20 breach report that in January it learned that certain information of patients requesting appointments or second opinions or initiating a virtual urgent care visit on its main public-facing website, www.nyp.org, was potentially accessed by NYP's third-party technology service providers.
NYP determined that the tracking tools probably recorded the IP address of visitors to web pages that included the provider name embedded into the URL. Trackers were able to also record the name, email address, mailing address and gender of patients.
Trackers did not collect protected health information from patient medical records.
UC San Diego Health Incident
UC San Diego says its use of trackers affected 23,000 individuals. The California entity said in a March 16 breach disclosure that technology vendor Solv Health, which hosted and managed scheduling websites, used the analytics tools on the scheduling websites for six of those locations "without our authorization." Solv Health did not immediately respond to a request for comment and additional details.
From Sept. 13 to Dec. 22, 2022, the analytics tools may have captured names, birthdates, email and IP addresses, reasons for visits and insurance types. It may have also matched users with third-party cookies.
"The scheduling websites were not part of UC San Diego Health's electronic health records systems, MyUCSDChart, and no information within MyUCSDChart was impacted by Solv Health’s use of analytics tools," the hospital says.
UC San Diego Health directed Solv Health to remove the analytics tools from the scheduling websites and worked with the company to investigate and identify individuals whose data had been affected.
Also, UC San Diego Health has transitioned to a new online scheduling tool for its express and urgent care locations and has "enhanced" its vendor assessment and management procedures, the healthcare provider said.
Brooks Rehab Breach
Florida-based Brooks Rehabilitation, which provides services for neurological and other medical conditions, on Jan. 31 reported its tracking tool-related breach as affecting nearly 1,600 individuals.
Brooks said that in December 2022 it determined that tracking technology vendors that provide services to the entity had the capability to view or access individuals' information when a user provided contact information or feedback via a Brooks website.
The tracking technology may have transmitted data including name, phone number, email and IP address and information that users provided in a comment section.
Brooks has no plans to use the tracking technology in the future without confirmation that it no longer has the capacity to transmit potentially identifiable information, the entity said.