Community Health Network Website Tracking Code Causes 1.5M Patient Data Breach

Community Health Network, the indiana-based healthcare provider, has acknowledged that the use of Meta and Google’s tracking codes has resulted in an unauthorized disclosure of sensitive patient healthcare information. Community Health Network is another addition to the ever-growing list of healthcare organizations who experienced data breaches following the implementation of third-party tracking codes. Affected healthcare organizations include Advocate Aurora Health, WakeMed Health and Hospitals, Novant Health, Medstar Health System, UCSF Medical Center, Dignity Health Medical Foundation, and Northwestern Memorial Hospital.

The Department of Health and Human Services’ Office for Civil Rights received a breach report from Community Health Network, confirming that the protected health information of approximately 1.5 million patients had potentially been disclosed without obtaining prior authorization. Like many other healthcare institutions, Community Health Network puts third-party monitoring code to their websites in order to monitor user behavior and identify trends. The healthcare provider maintained that the code was implemented in order to improve access to data relating to critical patient treatment services and to operate key functionalities of their websites. The code recorded specific data on how visitors interacted with the webpages as they browsed through them. An internal inquiry was launched to determine whether sensitive personally identifiable data had been provided to third parties after learning of concerns about how healthcare groups were using this code. All third-party tracking code on its websites and online applications was thoroughly examined as part of the forensic investigation.

The investigation, according to Community Health Network, discovered that the code had been uploaded to several areas of the website, including the pages for making appointments and the MyChart patient interface. Upon further investigation, Community Health Network determined that configuration of the code had unintentionally permitted a broader scope of data to be gathered and disclosed to each corresponding third-party vendor on September 22, 2022. The information disclosed included computer IP addresses, dates, times, and/or locations of scheduled appointments. However, the type of information varied from person to person depending on how they interacted with the website. 

According to Community Health Network, the third-party tracking code has been removed, and improved review and management procedures have been put in place for all website technologies going forward. All individuals who have been potentially affected by the data breach will be notified via notification letters.