Breach, Incident Response, Supply chain

UC San Diego Health latest provider to report pixel-tracking incident

UC San Diego Health sign on hospital building facade.

University of California San Diego Health notified an undisclosed number of patients that their data was inadvertently shared with third parties due to its vendor placing analytics tools on its patient-facing websites without UCSD Health’s authorization.

UCSD Health joins a long list of providers to report an unauthorized disclosure to third parties due to the use of Pixel-tracking tech, or marketing analytics tools. But it’s the first provider to notify due to a vendor’s error.

As reported by SC Media, the use of pixels are typically designed to provide analytics of user interactions on websites. The data is compiled into reports that assess how long users are on certain pages and engagement, as well as the effectiveness of marketing campaigns. Reports have since confirmed these tracking tools routinely share data with Meta and its partners.

What’s more, many of the marketing teams that employ these tools were unaware of the patient privacy risks.

For UCSD Health, the “analytics tool” was placed on its scheduling websites for its Express Care and Urgent Care locations by its technology vendor, Solv Health. These websites let patients book provider appointments in-person and online. However, Solv placed “analytics tools on the websites,” which captured and transmitted the data to its third-party service providers.

The compromised data was tied to individuals who made appointments on the affected sites between Sept. 13 and Dec. 22, 2022. The analytics tool may have captured patient names, dates of birth, email addresses, IP addresses, third-party cookies, reason for visit, and insurance type. No Social Security numbers, medical records, or financial information was capture by the sites.

UCSD Health has since directed Solv Health to remove the analytics tools from the affected scheduling websites and worked with the vendor to investigate the incident and identify the affected individuals. The health system has since transitioned to a new scheduling tool and bolstered its vendor assessment and management processes.

Independent Living breach update shows 4M patients impacted by September hack

Miami-based Independent Living Systems recently provided an update to an earlier breach notice, which included the patient data impacts of an apparent ransomware and data exfiltration incident first reported in September 2022. ILS is a healthcare business associate for Florida Complete Care.

While several media outlets reported the ILS hack as the largest healthcare data breach on record this year, the incident in question was already reported to the Department of Health and Human Services last year. The notice is simply an update to a previously recorded hack.

Under the Health Insurance Portability and Accountability Act, covered entities must report any compromises of protected health information to HHS within 60 days of discovery. However, the time frame is not always long enough, depending on the complexity of the attack and forensics.

As such, entities commonly issue a notice describing the incident and note to patients that the investigation is ongoing while providing HHS with the current knowledge of the incident and reporting the incident as impacting 501 patients with the expectation they’ll add more patients to the breach tally.

All signs suggest ILS did just that. Reported by ILS on Sept. 9, 2022, “an incident involving the inaccessibility of certain computer systems” was detected on July 5. The response team found that a threat actor gained access to several ILS systems for nearly a week between June 30 and July 5, which enabled the exfiltration of some of the data stored on the impacted systems.

“Other information was accessible and potentially viewed,” according to the notice.

After containing the incident, ILS launched a review that concluded on Jan. 17, 2023. The team then validated the results and began the notification process.

ILS determined that the compromised data could include patient names, contact information, Social Security numbers, dates of birth, driver’s licenses, state IDs, financial account details, medical record numbers, Medicare or Medicaid identification, mental or physical treatments, medical conditions, diagnosis codes or details, and other sensitive information.

Barcelona Hospital brings 50% of systems back online

Sixteen days after being hit by a RansomHouse cyberattack, the Hospital Clinic of Barcelona has recovered 50% of the impacted systems. The attack struck on March 4, which prompted the hospital to shut down the network, revert to paper processes, and divert some patients.

The information systems’ leadership has been working with the Cybersecurity Agency of Catalonia to analyze the affected systems and ensure the malicious malware has been completely removed before bringing the systems back online.

But the recovered systems have enabled the hospital to recover some of its scheduled surgery, ambulatory surgery, and external consultations, “despite the current difficulties caused by having to work manually.” Officials were transparent “that the pace of care for patients and care times are still very much conditioned by the attack received and delays can be significant.” 

Radiotherapy oncology treatment, previously diverted to nearby hospitals to maintain critical appointments, have restarted at the hospital as of March 15; made possible by the two accelerators being brought back online after the attack.

The previously implemented contingency plan has enabled the hospital to maintain critical care appointments, as well as transparency for the sake of patients and care coordination.

Jessica Davis

The voice of healthcare cybersecurity and policy for SC Media, CyberRisk Alliance, driving industry-specific coverage of what matters most to healthcare and continuing to build relationships with industry stakeholders.

Get daily email updates

SC Media's daily must-read of the most current and pressing daily news

By clicking the Subscribe button below, you agree to SC Media Terms and Conditions and Privacy Policy.