Website Tracking Code Breach Discloses PHI Of Up To 1.5 Million Patients In Community Health Network

The HIPAA-covered entity Community Health Network, based in Indiana, recently reported to the U.S. Department of Health and Human Services’ Office for Civil Rights that the protected health information of approximately 1.5 million patients may have been unintentionally exposed to Meta/Facebook and Google, as their tracking code had been implemented on the network’s websites.

In response to concerns raised about the use of third-party tracking code by healthcare organizations, Community Health Network conducted a thorough internal investigation to identify any transmission of sensitive, personally identifiable information. Through a rigorous forensic evaluation, the organization reviewed all the third-party tracking code implemented on its websites and web applications. The goal of the code was to better understand user habits when navigating the website and to manage key functionalities of the patient-facing sites.

Community Health Network announced that the probe had revealed that code had been added to parts of the website, including the appointment scheduling pages and the MyChart patient portal. In response, the organization immediately began working with their service providers to disable and/or remove the technologies, as they conducted their internal investigation to determine what information was transmitted to third-party tracking technology vendors (i.e. Facebook and Google). On September 22, 2022, it was discovered that the configuration of the code had inadvertently allowed a larger range of data to be collected and transmitted than they had originally intended. The data transmitted between individuals and websites could vary depending on their activity. This may include computer IP address, dates, times and locations of appointments, information regarding their healthcare provider, type of appointment or procedure, and messages sent through the MyChart portal, which could include first and last names, medical record numbers, insurance status and the name of the proxy if an individual has a proxy MyChart account.

Community Health Network recently took action to remove third-party tracking code from their websites and to implement better evaluation and management processes for all website technologies. Additionally, they notified all individuals who had interacted with a Community provider or related entity since April 6, 2017, when the tracking code was originally placed on the website.