Indiana-based Community Health Network is the latest healthcare provider to confirm that the protected health information of patients has been impermissibly disclosed to Meta/Facebook and Google due to the use of their tracking code on its websites. According to the breach report submitted to the HHS’ Office for Civil Rights, the protected health information of up to 1.5 million patients has potentially been impermissibly disclosed.
Like many other healthcare organizations, Community Health Network added third-party tracking code to its websites for the purpose of identifying the trends of users as they navigated through its websites. Community Health Network said the code was added: “to improve access to information about critical patient care services and manage key functionalities of our patient-facing websites.”
The code collected certain information about website users’ interactions as they navigated through its websites. After learning of concerns about the use of this code by healthcare organizations, an internal investigation was launched to determine whether sensitive individually identifiable information had been transferred to third parties. The forensic investigation involved a highly detailed evaluation of all third-party tracking code on its websites and web applications.
Community Health Network said the investigation revealed the code had been added to various parts of the website, including the appointment scheduling pages and the MyChart patient portal. “When we learned of this, we immediately began working with our service providers to disable and/or remove certain technologies from our websites and applications as we continued our internal investigation in hopes of better understanding the nature of the information that these technologies were collecting and transmitting,” explained Community Health Network in substitute breach notice. Further investigation revealed on September 22, 2022, that the configuration of the code had inadvertently allowed “a broader scope of information to be collected and transmitted to each corresponding third-party tracking technology vendor (e.g., Facebook and Google) than Community had ever intended.”
The types of information transmitted varied from individual to individual based on their interactions on the websites and may have included computer IP address, dates, times, and/or locations of scheduled appointments, information about an individual’s health care provider, type of appointment or procedure scheduled, and communications that were made through the MyChart portal, which may have included first and last names, medical record numbers, whether an individual had insurance, and, if an individual had a proxy MyChart account, the name of the proxy.
Community Health Network said it has removed the third-party tracking code and has implemented enhanced evaluation and management processes for all website technologies moving forward. The decision was taken to issue notification letters to all individuals who had engaged with a Community provider or affiliated entity on or after April 6, 2017 – the date that the tracking code was added to the websites.
Other healthcare organizations that have been similarly affected after adding Meta Pixel and other third-party tracking code to their websites include Advocate Aurora Health, WakeMed Health and Hospitals, Novant Health, Medstar Health System, UCSF Medical Center, Dignity Health Medical Foundation, and Northwestern Memorial Hospital.