Atrium Health Discovers Historic Use of Tracking Technologies on its Patient Portal
Charlotte, NC-based Atrium Health has recently informed almost 600,000 patients about a privacy breach related to the use of online tracking technologies on its patient portal. Tracking technologies, such as pixels, are code snippets that record browsing/usage data, such as the pages visited while on a website and other user interactions. The data collected by these tools can also be used to serve individuals with personalized ads.
In June 2022, a report by The Markup/STAT revealed one-third of the top 100 U.S. hospitals had these tools installed, and another study indicated that 99% of hospitals had tracking tools on their websites that captured identifying user data and transferred that data to third-party tech firms such as Meta Platforms and Google without users’ knowledge or consent. Atrium Health informed patients that when the use of these tools on healthcare websites was called into question in 2022, an internal investigation was launched to determine whether the tracking tools had been added to its patient portal, and Atrium Health was satisfied that was not the case.
Earlier this year, the review of its use of these tools on the patient portal was revisited, this time analysis went back further to include the period from January 2015 to the present. Atrium Health discovered the historic use of these tools on certain parts of the patient portal between January 2015 and July 2019. Then followed an analysis of the types of information that were potentially transmitted to third parties via these code snippets.
While the analysis did not allow Atrium Health to conclusively determine whether sensitive, identifying user data had been transferred to third parties, Atrium Health is working on the assumption that all individuals who used the MyAtriumHealth patient portal (formerly called MyCarolinas) between January 2015 and July 2019 potentially had information transmitted to third parties without their knowledge or consent.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The types of data involved varied from individual to individual and would have been influenced by several factors, such as the type of browser they used, how it was configured, if they were blocking/clearing cookies, whether they had accounts with the third party vendors that provided the tracking tools (e.g. Meta, Google, and other social media platforms), whether they were logged into those platforms at the time and the specific interactions they had within the patient portal.
Information potentially transferred to third parties included identifying information such as IP addresses and third-party identifiers/cookies, combined with a URL visited or a button that was clicked, information about their treatment or provider, and information contained in any forms they filled out. Form information may have included their full name, email address, phone number, city, state, zip code, gender, and any other information entered into that form. Atrium Health determined that Social Security numbers and financial information were not involved. Atrium Health said there is no evidence to suggest that any of the disclosed information has been misused or will be used for identity theft or fraud. Up to 585,959 patients were potentially affected.
“We take this matter very seriously and we’re continuing to monitor our information security systems, making improvements and enhancements where appropriate and evaluating any use of online technologies, consistent with our commitments to patient privacy,” explained Atrium Health in the substitute breach notice on its website. “We apologize for any concern or inconvenience this may have caused and remain committed to protecting the confidentiality and security of our patients’ information. We have and will continue to enhance our security controls, as appropriate, to minimize the risk of similar situations in the future.” This is the second data breach to be announced by Atrium Health this year. In September, Atrium Health notified around 32,000 patients that some of their protected health information had been compromised in a phishing attack.
In 2022, in response to the widespread use of online tracking tools by healthcare providers and the potential for impermissible disclosures of patient information, OCR issued guidance to HIPAA-regulated entities on the use of these tools. OCR confirmed that under HIPAA they were generally not permitted. The legality of the guidance was challenged and a Texas judge partially vacated the guidance, which means these tools can be used on unauthenticated web pages, but not on authenticated pages such as patient portals.
