Online Alcohol Counseling Service Provider Reports 109K-record Tracking Tool Data Breach
Monument Inc., a New York-based online alcohol addiction and treatment service provider, has recently notified almost 109,000 individuals about an impermissible disclosure of some of their personal and protected health information. The disclosure occurred due to the use of tracking code on its websites.
Monument explained in its breach notification letters that an internal review was conducted in late 2022 into the use of website tracking tools after guidance was issued by the HHS’ Office for Civil Rights on pixels and other tracking tools and how they may violate the HIPAA Rules. The internal review was completed on or around February 6, 2023, and it was determined that the tools on its websites potentially transferred identifiable protected health information to third parties who were unauthorized to receive the information, as consent to disclose that information was not obtained and there were no business associate agreements with the companies that provided the tools.
The tracking tools were provided by Google, Facebook (Meta), Pinterest, and Bing, and while present on the websites, the tools may have transferred names, birth dates, telephone numbers, email addresses, Monument IDs, insurance member IDs, unique digital IDs, photographs, uniform resource locators, assessments and survey, selected services and plans, appointment information, and associated health information. The types of information disclosed varied from individual to individual depending on their interactions on the websites.
The tracking tools were added to Monument websites in January 2020, and were present on the websites Tempest since November 2017. Monument acquired Tempest in May 2022. Monument said it fully disconnected its websites from the tools on February 23, 2023, and has terminated third-party advertising relationships with the providers of the tracking tools. In the future, Monument will only use third-party vendors that meet HIPAA requirements and other privacy laws.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The decision was taken to notify all Monument members, even if they did not create an account or did not go on to become patients of Monument or Tempest’s medical groups (Live Life Now Health Group and Purdy Medical Corp). While there is no evidence of misuse of the disclosed information, affected individuals have been offered free membership to a credit monitoring service.
Monument is the latest healthcare organization to issue notifications about tracking tool-related data breaches over the past few months since these tools were discovered to be sending sensitive data to third parties. A recent study by researchers at the University of Pennsylvania suggests 99% of hospitals in the U.S. use tracking tools on their websites, while a study by The Markup indicates these tools are extensively used by online counseling service providers.
These impermissible disclosures have sparked several lawsuits and while there has been no action taken by OCR in response to these breaches, the Federal Trade Commission has taken action against non-HIPAA-covered entities such as GoodRx and Betterhelp.
