The Public Health Network said on September 22 that it had discovered that the configuration of certain pixels on its digital properties allows for a broader range of patient information to be collected and transferred. to third-party vendors, such as Meta and Google, than expected.
WHY IT IMPORTANT
Companies that provide online trackers have been accused in class-action lawsuits of allegedly targeting people with ads based on their health-related information collected through websites. healthcare system web and patient portal.
The community announced on November 16 on its website that it had launched an investigation into its own data tracking practices and hired a third-party forensic team.
“That investigation confirmed that third-party tracking technologies were installed on Community websites, including the MyChart patient portal and on some of our appointment booking sites, ” the health network said in the statement.
“Once we became aware of this, we immediately began working with our service providers to disable and/or remove certain technologies from our websites and applications. us as we continue to investigate internally in hopes of better understanding the nature of the information these technologies are collecting and transmitting.”
The community also said the investigation found no evidence that abuse or fraud had occurred as a result of the breach and “cannot say with certainty what information was involved.”
The data can be the computer’s IP address; the date, time and/or location of scheduled appointments; information about an individual’s healthcare provider; the type of appointment or procedure scheduled; contact information via MyChart – may include first and last name and medical case number; information about whether an individual has insurance and whether an individual has a proxy MyChart account and the name of the proxy.
“We have no indication that any Social Security numbers, financial account numbers, or debit/credit card information are collected or transmitted through any third-party tracking technologies. anytime,” Community said.
TREND TO BIGGER WOMAN
Last week, the US Department of Health and Human Services issued guidance on the use of online tracking tools in healthcare.
It comes after months of confusion and class-action lawsuits as health systems curate a new front for patient privacy and security. Community Health Network joins several healthcare providers who are discovering that they are unaware of how, when and what patient data is being transmitted to third-party marketing efforts.
Pixel technology uses Java tracking scripts to send organization data to technology owners, which can be shared with network marketing partners targeting individuals with incentives and relevant advertising.
Because patient data cannot be shared under HIPAA, consumer data mining practices – often criticized for a lack of transparency – have long raised medical privacy concerns.
A class-action lawsuit filed in June against Meta Platforms, owned by Facebook, accuses the social media giant of knowingly receiving patient data from at least 664 hospitals or service providers medical services and monetize that information for targeted advertising.
“This illegal data collection was done without the patient’s or plaintiff’s knowledge or permission, in violation of federal and state law and Facebook’s own contracts with users,” the document said. court data said.
“When a patient communicates with a healthcare provider’s website where the Facebook Pixel shows up on the patient portal login page, the Facebook Pixel source code makes the patient’s correct communication with the provider their healthcare provider is redirected to Facebook in a way that identifies them as a patient.”
For example, in October, Advocate Aurora Health sent out letters to 3 million patients in Illinois and Wisconsin about a potential data breach involving tracking pixels. In August, Novant Health announced it had notified its 1.3 million patients of a third-party data breach.
Recent lawsuits reveal potential liability for failure to provide patient privacy protections that healthcare organizations are obligated to comply with by law.
Andrew Mahler, a former investigator with the HHS Office for Civil Rights and now the Deputy Director of Privacy and Compliance at CynergisTek, emphasizes the importance of healthcare organizations performing risk analysis. thoroughly, provide appropriate training and education, and seek independent third-party review of policies, procedures, and systems.
“What makes this situation particularly complicated and worrisome is that healthcare organizations themselves may not be aware that the Meta Pixel engine has been embedded in their website and/or that the tool is following track, compare, and receive patient data, including [protected health information],” he said Healthcare IT News earlier this month when asked about privacy challenges and best practices where websites track users’ online behavior.
ON PROFILE
“The community used applicable third-party tracking technologies from April 6, 2017, until most of them were disabled and/or removed between August and November 2022 when the Our investigation progresses,” the healthcare provider said in a separate FAQ on its website.
Andrea Fox is the senior editor of Healthcare IT News.
Email: [email protected]
Healthcare IT News is a publication of HIMSS.
