Main menu

Pages

Lawyer data breach affects 3 million

featured image

A data breach at hospital systems giant Advocate Aurora Health may have exposed the information of as many as 3 million patients using online patient portals and other tools, the system said.

Attorney Aurora, who has 27 hospitals in Illinois and Wisconsin, said exposed patient data could include IP addresses; dates, times and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; information about the patient’s provider; types of appointments or procedures; and communication between patients and others in MyChart.

Attorney Aurora said on its website that it has launched an internal investigation and does not believe that Social Security numbers, financial accounts, credit or debit card information were leaked.

The system said the breach was unlikely to lead to identity theft or financial damage, and it saw no evidence of information misuse or fraud.

The health system cited pixel technology as the cause of the breach. These pixels are bits of code that organizations can use to monitor how consumers use their websites and apps.

Attorney Aurora said in a statement that it has learned that pixels and similar technologies installed on patient portals and some planning widgets send patient information to external vendors who supply the pixels. Lawyer Aurora said people logging into their Facebook or Google accounts at the same time may have been particularly affected.

According to the statement, the hospital system has since disabled or removed the pixels. A spokesperson was unable to immediately answer a question Thursday afternoon about when these pixels were removed or disabled.

“We take patient privacy very seriously, we use robust internal controls to protect patient data, and we are committed to complying with all applicable laws for our operations,” attorney Aurora said in a statement. she said. “Like others in our industry, we have used internet monitoring technologies to improve the consumer experience on our websites and encourage individuals to plan necessary preventive maintenance. We thoroughly evaluate the information we collect and track.”

Other hospital systems have also been grappling with privacy issues with pixel technology in recent months. A lawsuit filed against Meta in federal court in California alleges that hundreds of hospital and medical provider websites are using the technology.

A Northwestern Memorial Hospital patient living in Skokie filed a lawsuit in federal court against Northwestern, Meta, and Facebook in August, and the hospital’s Meta and Facebook’s “Meta Pixel” were used to illegally collect private medical information of Northwestern Memorial Hospital patients and, according to the complaint, use this data for your own benefit This case seeks class action status.

Two Rush hospital system patients filed a similar lawsuit in federal court on September 30, claiming that Rush “disclosed personally identifiable patient data, including the patient status of plaintiffs and class members and the content of their communications with Rush, to third parties, including: ” He claimed. Facebook, Google and a digital advertising company.” This case also includes pixel technology.

Rush said in a statement: “RUSH is deeply committed to patient privacy and takes any implication that data has been improperly shared with the utmost urgency. We are aware of and are investigating the case and intend to vigorously defend RUSH against the plaintiffs’ claims.”

A spokesperson for the Northwest said Thursday that the system has not commented on the pending lawsuit.

North Carolina system WakeMed Health & Hospitals reported on its website last week that some of their patients’ information may have been disclosed via Facebook-provided pixels.

Attorney Aurora reports that the violation was reported to the U.S. Department of Health and Human Services’ Civil Rights Office. Health systems should report violations of protected health information involving 500 or more people to the office that publishes reports on a public website called the Wall of Shame. The Office of Civil Rights investigates such violations and, depending on the severity, may impose fines on healthcare systems.

The Attorney Aurora breach is the largest health data incident reported to the office this year.

Data breaches have plagued hospital systems across the country for years as hospitals try to keep up with ever-changing technologies, burgeoning cybercrime activity, and competing demands for their money and time.

Patients with questions about the Attorney Aurora violation can call 866-884-3206 Monday through Friday from 7:00 AM to 7:00 PM and Saturday from 9:00 AM to 2:00 PM.

lschencker@chicagotribune.com

Comments