109K-Record Data Breach at Online Alcohol Counseling Service Provider
Alcohol addiction and treatment service provider Monument Inc. based in New York recently informed about 109,000 persons regarding an impermissible disclosure of their personal data and protected health information (PHI). The disclosure happened because of using tracking code on its web pages.
Monument stated in its breach notification letters that it conducted an internal audit in late 2022 regarding the use of web tracking tools after the HHS’ Office for Civil Rights issued guidance on tracking tools like pixels and how they violate HIPAA. The internal audit was finished on or about February 6, 2023, and it was found that the codes on its websites possibly transmitted identifiable PHI to third parties who were not authorized to get the data. It is required to get consent prior to disclosure and Monument did not sign any business associate agreements with the firms that offered the tools.
Facebook (Meta), Google, Pinterest, and Bing provided the tracking tools. While added to the websites, the following data may have been transmitted: names, dates of birth, phone numbers, email addresses, insurance member IDs, Monument IDs, unique digital IDs, pictures, URLs, evaluations and survey, certain services and plans, appointment data, and associated health data. The types of data exposed differed from one person to another depending on their activities on the webpages. The tracking codes were put on Monument websites last January 2020, and had been added to the websites Tempest beginning November 2017. Monument bought Tempest in May 2022. Monument stated it completely removed the tools from its websites on February 23, 2023, and has stopped third-party advertising partnership with the tracking tools providers. Monument will just use third-party vendors that satisfy HIPAA terms and other privacy rules. Monument made a decision to inform all members, even those that did not have an account or didn’t become Monument patients or Tempest’s medical groups (Purdy Medical Corp and Live Life Now Health Group). Although there is no proof of misuse of the exposed data, impacted persons were provided free credit monitoring service membership.
Monument is the most recent healthcare company that issued breach notifications associated with tracking tool-related data breaches since the tools were found to be transferring sensitive information to third parties. A new research study at the University of Pennsylvania indicates that 99% of U.S. hospitals added tracking codes to their websites. Another study by The Markup indicates that online counseling service providers extensively use these tools.
Because of these impermissible disclosures, several lawsuits had been filed. OCR has not taken any action yet in response to the breaches, but legal action has been taken against non-HIPAA-covered entities like Betterhelp and GoodRx by the Federal Trade Commission.
DC Health Link Data Breach Due to Human Error
DC Health Link released more data about the data breach at the Washington DC health insurance exchange prior to the hearing of the House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation today.
DC Health Link detected the data breach on March 6, 2023 and engaged, Mandiant to look into the data breach. By March 8, Mandiant had identified the source of the breach and blocked it immediately; nevertheless, the attacker had stolen files and listed some of the breached information for sale on a hacking forum on the internet. DC Health Link provided the affected people with free credit monitoring and identity theft protection services. Executive director Mila Kofman of DC Health Link stated that the internal investigation into the data breach is in progress; nevertheless, she shared additional details regarding the security incident and data breach. She will also discuss the results of Mandiant’s investigation during the hearing. hearing.
Last week, the two subcommittee chairs, Reps. Barry Loudermilk (R-Georgia) and Nancy Mace (R-South Carolina), published a joint announcement prior to the hearing. It stated that the data breach at D.C. Health Link put people, such as the Members of House, congressional personnel, and family members at risk. The subcommittee is investigating how it happened, how it could be avoided, what mitigations could be done, and how to avoid a recurrence.
Kofman confirmed in a prepared statement that 56,415 present and past clients were impacted, which include members of the House, their family members, and Congressional staff. The breach saw the theft of two reports that contained the personal information of 17 members of the House, 43 of their family members, 585 personnel, and 231 of their family members. The breached data included basic personal data, contact details, birth dates, and Social Security numbers.
The hacker acquired access to information because of a security error, which Kofman stated was a result of human error. A misconfiguration of a cloud server allowed access to the reports without authentication. Kofman expressed their apologies for the breach and mentioned that DC Health Link promptly investigated the breach and deactivated the access. The company is still committed to being transparent about incidents such as this data breach.