Posted On November 25, 2022 Consumer Privacy & Data Breaches
On November 18, 2022, Community Health Network (“Community”) filed notice of a data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after learning that the organization’s use of third-party tracking technologies disclosed sensitive patient data to unauthorized parties. Based on the company’s filing with the HHS-OCR, the incident resulted in an unauthorized party gaining access to patients’ protected health information. After confirming that consumer data was leaked, Community began sending out data breach notification letters to all individuals who were impacted by the recent data security incident.
If you received a “Notice of Third-Party Tracking Technology Data Breach” letter from Community Health Network, it is essential you understand what is at risk. The data breach lawyers at Console & Associates, P.C. are actively investigating the Community data breach on behalf of people whose information was exposed. As a part of this investigation, we are providing free consultations to anyone affected by the breach who is interested in learning more about the risks of identity theft, what they can do to protect themselves, and what their legal options may be to obtain compensation from Community Health Network.
The available information regarding the Community Health Network breach comes from the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights, as well as notice posted on the company’s website. According to these sources, as early as April 2017, Community Health Network used certain technology called pixels which enabled the organization to track the activity of those who visited the Community Health Network website. These pixels collect and disclose certain information about visitors and how they interact with the organization’s website.
However, in light of recent concerns about the use of pixels in the healthcare context, Community Health Network launched an internal investigation to determine whether the organization’s use of pixels compromised patient data. The Community Health Network confirmed that third-party tracking technologies were installed on its website, including the MyChart patient portal, and on some of its appointment scheduling sites.
In response, Community Health Network disabled all tracking technologies and then continued the investigation in hopes of learning what, if any, patient data was subject to unauthorized access as a result. On September 22, 2022, Community Health Network learned that the pixels used by the organization were transmitting a greater array of data than Community intended.
Upon discovering that sensitive consumer data was potentially made accessible to an unauthorized party, Community Health Network began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include the following:
On November 18, 2022, Community Health Network sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. The company sent these letters to anyone who visited a Community Health Network on or after April 6, 2017, which is the date the company began using the tracking technology.
Community Health Network is a healthcare services provider based in Indianapolis, Indiana. Community Health Network provides a wide range of services, with over 100 locations across Indiana, including physicians’ offices, specialty and acute care hospitals, surgery centers, home care services, MedChecks, behavioral health and employer health services. Community Health Network employs more than 16,000 people and generates approximately $1 billion in annual revenue.
Data breach and consumer protection laws in the United States impose a duty on companies that store or maintain consumer data, requiring them to do so in a way that preserves the privacy and safety of the information. These same laws also allow for victims of a data breach to hold a company negligent for leaking their information in certain cases. Of course, just because a business gets hacked or a company leaks consumer information doesn’t mean that it is financially liable for a victim’s damages—the ultimate question is whether the company was negligent.
The basic framework of a negligence analysis requires a data breach victim to prove the following:
When it comes to storing, transmitting and using consumer data, companies can be negligent in a number of ways. Below are some of the most common examples of how a company’s negligence may lead to a data breach.
Note that none of these scenarios involve an intentional action on the part of an organization. Thus, it is possible for consumers to hold a corporation financially liable for negligently leaking their information. Data breach victims who want to learn more about their rights and whether they may be able to bring a data breach class action lawsuit should reach out to a data breach attorney for assistance.
At Console & Associates, P.C., our consumer privacy lawyers monitor all security and data breaches to help affected consumers pursue their legal remedies. We offer free consultations to victims of data breaches and can explain your rights in clear, understandable terms so you can make an informed decision about how to proceed with your case. If you’ve been affected by the Community data breach or any other data security incident, Console & Associates, P.C., will investigate your case at no charge and offer you thorough advice about how to most effectively proceed with your case. If you decide to bring a case, we only get paid if you do. If your claim is successful, any legal fees are either paid by the defendant or come out of the funds recovered from the defendant. If your claim doesn’t result in a recovery, you will pay nothing.
To schedule your free consultation, just call (866) 778-5500 today or fill out our secure contact form.
Below is a copy of the initial data breach letter issued by Community Health Network (the actual notice sent to consumers can be found here):
Dear [Redacted],
Community Health Network takes the privacy and security of patient information extremely seriously and we are committed to providing as much information as possible about this data breach in order to ensure any individuals who may have been impacted can take the steps necessary to protect themselves and their information. In addition to this notice, we have created an FAQ page with answers to the most common questions we have received related to this incident.
What Happened?
As part of our continued effort to improve access to information about critical patient care services and manage key functionalities of our patient-facing websites, Community uses service providers to help evaluate the accessibility of those websites and information regarding the trends of users navigating the sites. For a period of time, Community, like many other health systems, worked with those service providers to implement and utilize certain Internet tracking technologies provided by third-parties such as Google and Facebook. Each of those technologies functioned by collecting and disclosing a limited amount of information associated with our website users. This information allowed us to better understand how patients and other users interacted with our website.
Upon learning of concerns about the use of third-party tracking technologies by healthcare organizations, Community initiated an internal investigation that included engaging a third-party forensic firm to perform a detailed technical evaluation of the technologies implemented on our websites and applications.
That investigation confirmed that third-party tracking technologies were installed on Community’s website, including the MyChart patient portal, and on some of our appointment scheduling sites. When we learned of this, we immediately began working with our service providers to disable and/or remove certain technologies from our websites and applications as we continued our internal investigation in hopes of better understanding the nature of the information that these technologies were collecting and transmitting. On September 22, 2022, we discovered through our investigation that the configuration of certain technologies allowed for a broader scope of information to be collected and transmitted to each corresponding third-party tracking technology vendor (e.g., Facebook and Google) than Community had ever intended.
What Information Was Involved?
Based on the results of our investigation, we determined that the type of information transmitted through the use of these technologies varied depending on the technical configuration of each user’s device as well as the user’s activity within the Community website and MyChart patient portal. Only certain data fields on the website and patient portal transmitted information through the third-party tracking technologies due to how they were configured. Our investigation was unable to determine whether and to what extent each user interacted with these data fields, so we cannot say with certainty what information was involved.
That being said, the scope of information that could have been transmitted to third-party tracking technology vendors includes: computer IP address; dates, times, and/or locations of scheduled appointments; information about an individual’s health care provider; type of appointment or procedure scheduled; communications through MyChart, which may have included first and last name and medical record number; information about whether an individual had insurance; and, if an individual had a proxy MyChart account, the name of the proxy.
We have no indication that any Social Security numbers, financial account numbers, or debit/credit card information was collected by or transmitted through the third-party tracking technologies at any time.
How Do I Know If I Was Impacted?
Out of an abundance of caution, we have decided to notify all patients who have engaged with a Community provider or affiliated entity on or after April 6, 2017, which is the date we began implementing these third-party tracking technologies. An engagement includes scheduling an appointment online or directly with a provider, using the MyChart patient portal to communicate with a Community or affiliated provider, and/or seeking treatment at a Community or affiliated provider location.
What Are We Doing?
We have disabled and/or removed all third-party tracking technologies on patient-facing websites and applications and are continuing to evaluate how to further mitigate the risk of unauthorized disclosures of patient information in the future. We have also improved our evaluation and management processes for all website technologies moving forward.
What Can Potentially Impacted Individuals Do?
Although we have removed all third-party tracking technologies, many other organizations’ websites still use these technologies. Individuals can protect themselves from website tracking by blocking or deleting cookies or using browsers that support privacy-protecting operations. If applicable, individuals may also want to adjust their privacy settings in Facebook and Google.
While understandably concerning, this incident is unlikely to result in identity theft or any financial harm, and we have no evidence that misuse or fraud has occurred. Still, we encourage potentially impacted individuals to regularly review their financial accounts and report any suspicious activity to appropriate authorities.
We apologize for this incident and understand that individuals may have questions. If so, please call our dedicated assistance line at (866) 361-5593, which will be open Monday – Friday 9 a.m. – 7 p.m. Eastern.
