Breach, Privacy, Application security, Ransomware

Pixel fallout expands: Community Health informs 1.5M of unauthorized disclosure

Meta sign at headquarters
A car drives by the Meta sign in front of Facebook headquarters on Oct. 28, 2021, in Menlo Park, Calif. (Photo by Justin Sullivan/Getty Images)

Community Health Network recently informed 1.5 million of its patients that its use of the Meta Pixel tracking tool led to the unauthorized disclosure of their health information to the social media giant.

With its notice, CHN is now the fourth healthcare provider to report patient data impacts of its use of Pixel for marketing purposes. So far, WakeMed Health, Advocate Aurora Health, Novant Health, and CHN are the only providers to have reported data impacts by their use of Pixel.

As SC Media recently examined following reports that the Pixel tool was scraping data from hospital sites, many of these covered entities were unaware of the potential risk of leveraging these tools due to gaps in the procurement process.

Marketing teams commonly use these types of tools to better understand patient interactions on their websites and other helpful data points, such as how patient portals are being used. But industry leaders believe the analytics or marketing teams were unaware that the Pixel tool allegedly transmits all of this data gathered on patients and their behaviors to third parties.

Although Meta has denied this occurs, it’s unlikely the covered entity reporting these disclosures to the Department of Health and Human Services would do so without first confirming the unauthorized disclosure had occurred.

For CHN, Pixel was installed as part of its “continued effort to improve access to information about critical patient care services and manage key functionalities of our patient-facing websites,” including evaluating accessibility and trends of users navigating its sites.

CHN teams leveraged both Google and Facebook Pixel tools.

These pixels collected and disclosed “a limited amount of information” from its websites to better understand user and patient interactions. Upon hearing about the pixel scraping on hospital websites, CHN launched an internal investigation of the tech used on its apps and websites with support from an outside forensic firm.

The investigation confirmed the third-party tracking tools were installed on the health network’s website, patient portal, and some of its appointment scheduling sites. Upon discovery, those technologies were removed or disabled from the impacted platforms.

However, CHN discovered on Sept. 22 that the prior configuration of these tools “allowed for a broader scope of information to be collected and transmitted to each corresponding third-party tracking technology vendor,” including both Facebook and Google, and more than the provider “had ever intended.”

Depending on the configuration of the user’s device and their activities on the CHN website, the greater the disclosure could be. As such, the compromised data varied by patient and could include IP addresses, scheduled appointments, provider details, patient portal communications, type of appointment or procedure, medical record numbers, names, and other sensitive data.

There is no evidence “that any Social Security numbers, financial account numbers, or debit/credit card information was collected by or transmitted through the third-party tracking technologies at any time.”

Further, “only certain data fields on the website and patient portal transmitted information through the third-party tracking technologies due to how they were configured.” CHN could not determine specific user interactions, so it’s unclear just what data was involved. As a result, all patients who’ve engaged with a CHN provider since April 6, 2017 are being notified.

CHN is continuing to evaluate how to mitigate similar patient data risks and have bolstered its evaluation and management processes for all website technologies. Its notice also includes educational resources for patients on reducing the risk posed by third-party tracking on all sites — an effort HHS has lauded in the wake of the Supreme Court abortion ruling.

"IT Issue" forces One Brooklyn Health system offline

One Brooklyn Health’s Interfaith, Kingsbrook, and Brookdale hospitals have been forced offline due to an unexplained IT issue, which began on Nov. 19, according to local New York media outlets.

Providers are operating under electronic health record downtime and maintaining patient care using paper processes, while electronic prescribing and all computers appear to be offline. The state Department of Health is aware of the incident and is working with the provider network to prioritize patient safety.

But both the state health department and the health system have declined to comment on whether the incident was caused by nefarious activities.

In a public statement, officials explained that the outage was brought on by “an incident resulting in a network disruption.” The systems were taken “offline to contain the disruption,” and the One Brooklyn IT team is working with “third-party advisors to ensure that our systems are brought back online as quickly and safely as possible, and in a way that prioritizes patient care.”

The statement is similar to those made by healthcare providers that have faced cyber-related outages in the last six months, including the most recent cyberattack on CommonSpirit Health hospitals. 

However, the health system has not confirmed to this outlet, on its website, or social media platforms whether the issue is cyber-related. SC Media is keeping track of the story progress and will issue a separate piece if more information becomes available.

Wright & Filippis informs 878K patients of January data theft

Nearly 878,000 patients tied to prosthetics, orthotics and accessibility solutions provider Wright & Filippis were recently notified that a January ransomware attack possibly led to the theft of their protected health information.

The Wright & Filippis notice shows PHI was impacted and possibly acquired by these attackers on May 2, but patient notices were not sent until Nov. 18 — far outside of the 60-day requirement outlined in the The Health Insurance Portability and Accountability Act. HHS has also reminded covered entities that the timer starts at discovery and not at the close of an investigation.

After the endpoint security tool detected and terminated the ransomware, the systems were secured by Wright & Filippis and an outside security team. They confirmed the electronic medical records and HR systems weren’t impacted, but patient data was accessed and/or acquired by the threat actors.

The stolen data involved both current and former patients and may include names, SSNs, dates of birth, patient numbers, financial account numbers, and/or health insurance information. Similar data on current and former employees was also stolen, with the addition of “limited instances of financial account numbers.”

All impacted individuals will receive complimentary identity monitoring, fraud consultation, and identity theft restoration services. Wright & Filippis has since implemented cybersecurity enhancements, including additional endpoint detection and response software, and rebuilding affected servers.

Gateway Rehabilitation reports June incident affecting 130K patients

The data of 130,000 patients tied to Gateway Rehabilitation Center in Pennsylvania was possibly compromised after “an incident disrupted access to certain systems” on June 13. However, patient notifications were not sent until Nov. 18.

Upon discovering the incident, the impacted systems were secured and an investigation was launched with support from a third-party digital forensics and incident response team. Their analysis confirmed protected health information was impacted on July 8, four months ago.

The compromised data could include patient names, dates of birth, SSNs, driver’s licenses or state IDs, financial accounts and/or payment card numbers, medical data, and health insurance information.

An In-Depth Guide to Application Security

Get essential knowledge and practical strategies to fortify your applications.
Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy.

You can skip this ad in 5 seconds