Community Health Network reports online tracking data breach affecting 1.5 million

December 6, 2022 CynergisTek, Inc.

The Indiana provider says pixels used to collect information about website users may have transferred certain types of patient information since 2017.


Community Health Network said it discovered on September 22 that the configuration of certain pixels on its digital properties allowed for a broader scope of patient information collection and transfer to third-party vendors, such as Meta and Google, than it realized. 


Companies that provide online tracking tools have been accused in class-action lawsuits of allegedly targeting ads to people based on information regarding their health that was collected through healthcare system websites and patient portals. 

Community announced November 16 on its website that it launched an investigation into its own data-tracking practices and hired a third-party forensic team.

"That investigation confirmed that third-party tracking technologies were installed on Community's website, including the MyChart patient portal and on some of our appointment scheduling sites," the health network said in the statement.

"When we learned of this, we immediately began working with our service providers to disable and/or remove certain technologies from our websites and applications as we continued our internal investigation in hopes of better understanding the nature of the information that these technologies were collecting and transmitting."

Community also said that the investigation has not found evidence that misuse or fraud has occurred as a result of the breach, and it "cannot say with certainty what information was involved."

The data could be computer IP address; dates, times and/or locations of scheduled appointments; information about an individual's healthcare provider; type of appointment or procedure scheduled; communications through MyChart – which may have included first and last name and medical record number; information about whether an individual had insurance and if an individual had a proxy MyChart account, and the name of the proxy.

"We have no indication that any Social Security numbers, financial account numbers or debit/credit card information was collected by or transmitted through the third-party tracking technologies at any time," Community said.

Continue reading here

About the Author

CynergisTek, Inc.

CynergisTek is a top-ranked cybersecurity consulting firm dedicated to serving the information assurance needs of healthcare. CynergisTek offers specialized services and solutions to help organizations achieve privacy, security, and compliance goals. The company has been recognized by KLAS in the 2016 and 2018 Cybersecurity reports as a top performing firm in healthcare cybersecurity, as well as the 2017 Best in KLAS winner for Cybersecurity Advisory Services.

Follow on Twitter Follow on Linkedin Visit Website More Content by CynergisTek, Inc.
Previous Article
‘Out of control’: Dozens of telehealth startups sent sensitive health information to big tech companies
‘Out of control’: Dozens of telehealth startups sent sensitive health information to big tech companies

A joint investigation by STAT and The Markup of 50 direct-to-consumer telehealth companies found Virtual ca...

Next Article
OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance
OCR Outlines Proper Use of Tracking Tech to Maintain HIPAA Compliance

Andrew Mahler discusses recent OCR bulletin outlining how organizations using tracking tech like Meta Pixel...