Governance & Risk Management , Healthcare , HIPAA/HITECH
Health Entity Says Tracking Code Breach Affects 3 MillionAdvocate Aurora Health Has Since Disabled Tools From Google, Facebook
A Midwestern hospital system is treating its use of Google and Facebook web tracking technologies as a data breach, notifying 3 million individuals that the computing giants may have obtained patient information.
Advocate Aurora Health says it embedded pixel tracking technologies into its patient portals and some of its scheduling widgets in a bid to "better understand patient needs and preferences."
The nonprofit system of 27 hospitals and more than 500 healthcare facilities in Illinois and Wisconsin reported itself to the Department of Health and Human Services on Oct. 14, telling the federal government that it had undergone a breach involving unauthorized access or disclosure.
Concerns over healthcare industry use of tracking pixels have exploded, especially after the Supreme Court's June decision to overturn Roe v. Wade, the five-decade judicial precedent that guaranteed nationwide access to abortion. Reproductive health and privacy experts have warned that law enforcement may attempt to collect information about abortions through digital footprints left online and in smartphones.
In a statement, Advocate Aurora Health says it has since disabled or removed web tracking services provided by several vendors, including Google and Facebook. The third parties obtained data including the first and last names, dates, times and types of scheduled appointments or procedures and insurance information. The extent of data collection may have varied depending on whether users were also logged into Facebook or Google and the extent of their browser cookie blocking.
The organization says it has launched an internal investigation to better understand what patient information was transmitted. The tech giants did not obtain patients' Social Security numbers or payment card data. "We are not aware of any misuse of information arising from this incident," Advocate Aurora Health says.
Facebook parent Meta faces at least four proposed class action lawsuits on the verge of being consolidated into a single court case for alleged violations of HIPAA through its tracking technology (see: Facebook Slapped with Another Health Data Privacy Lawsuit).
A recent study by data privacy firm Lokker found that the array of hospitals and healthcare provider websites using Facebook Pixel and similar tracking tools reaches around 2,500, company CEO Ian Cohen said in a recent interview with Information Security Media Group (see: Online Tracking Tools Provoke Patient Privacy Concerns).
Cohen suggests companies "remove the pixel while they figure out where it lives and what data it is collecting. Make sure it doesn't live on any page that gathers data or where people are looking up medical questions of any kind."
While Advocate Aurora Health implemented a "prudent" remedial measure by disabling the pixels, says regulatory attorney Rachel Rose, "the preventative measure of understanding how the pixels worked and what data was being accessed should have been done upfront." Rose is not involved in the Meta litigation.
'Magnitude of Danger'
The healthcare industry, spurred by lawsuits, is only beginning to recognize "the magnitude of danger" from tiny bits of code exploiting software intended to facilitate patient communication and access, says regulatory attorney Paul Hales of Hales Law Group, who is not involved in the Meta litigation.
"Senior management evidently has been unaware of this technical issue. They are responsible for lawful operations and should take immediate action to identify and remove the threats and secure their information systems," he says.
"Advocate Aurora Health candidly admits it unknowingly harbored hidden computer codes allowing continuous exposure of patient medical identities. This is the latest revelation of the extraordinary danger to patient safety caused by furtive pieces of software designed to identify and track patients and profit from unauthorized use of private health information," he says.
Advocate Aurora Health declined Information Security Media Group's request for additional details.