The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

UC San Diego Health Announces Impermissible Disclosure of Patient Data Due to Website Analytics Code

Posted By on Mar 20, 2023

University of California (UC) San Diego Health is the latest healthcare organization to start notifying patients that some of their protected health information has been impermissibly disclosed to third parties due to the use of website tracking technologies. UC San Diego Health said the analytics code was added to its scheduling websites by one of its business associates, Solv Health, without authorization from UC San Diego Health. UC San Diego Health contracted with Solv Health to provide website hosting and management services.

The analytics code captured limited data of visitors to the scheduling websites who booked in-person or telehealth appointments. The captured information was then impermissibly disclosed to the third parties that provided the code. UC San Diego Health did not state in its breach notifications who the third parties were but said they received first and last names, birth dates, email addresses, IP addresses, third-party cookies, reasons for the appointments, and insurance type (e.g., PPO, HMO, Other).

UC San Diego Health confirmed that Social Security numbers, medical record numbers, financial account numbers, and debit and credit card information were not disclosed and the analytics code was not used on its electronic health record or MyUCSDChart systems, so no information within those systems was disclosed. UC San Diego Health said notification letters started to be mailed to affected individuals on March 20, 2023. Those individuals had used the scheduling websites for its Express Care (La Jolla) or Urgent Care locations (Downtown San Diego, Encinitas, Eastlake/Chula Vista, Pacific Highlands Ranch, & Rancho Bernardo).

When the analytics code was discovered in December 2022, UC San Diego Health directed Solv Health to immediately remove the code from the scheduling websites and worked with Solv Health to determine who had been affected. UC San Diego Health is now using a new online scheduling tool and has enhanced its vendor assessment and management procedures.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The incident was reported to the HHS’ Office for Civil Rights as affecting 23,000 individuals.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist