Advocate Aurora exposed 3M PHI due to using data tracking technologies. Ensure HIPAA compliance when processing and storing ePHI and think twice before using data analytics
Many organizations use data analytics tools to collect and analyze their clients’ data. The tracking tools help businesses improve the quality of healthcare services while reducing data administration costs. At the same time, using analytics tools requires a cautious approach, especially when dealing with electronic Protected Helth Information (ePHI).
On Oct. 14, a data breach at Advocate Aurora Health – the most extensive healthcare system in Wisconsin and Illinois – exposed up to 3 million patients’ ePHI. The reason is using tracking technologies – “pixels” utilized by Google and Facebook data analytic tools. The consequences of such an incident are, at a minimum, financial and reputational losses.
Advocate Aurora, like other healthcare organizations of such a size, is subject to HIPAA. So, it must ensure compliance in the processing and storing of ePHI and think twice before using data analytics. Entrusting ePHI to Google Analytics was a bad idea because:
This incident demonstrates how important it is to follow the HIPAA rules and requirements regarding ePHI. Continue reading to discover more about Advocate Aurora’s case. Also, figure out what does HIPAA say about data analytic tools and how to optimize your work and not fall under HIPAA sanctions?
In its notice of a data breach, the Advocate Aurora hospital system confirmed using “the services of several third-party vendors to measure and evaluate information concerning the trends and preferences of its patients.” In other words, they used Google and Facebook (Meta) online tracking technologies – “pixels” to improve patient experience and website operability. In addition, these “pixels” also collect user data and the information users see on a page. On the businesses’ side, these tracking tools help better understand patients’ needs and preferences, thus helping provide more efficient services. On the other hand, “pixels” expose ePHI – the most sacral value of HIPAA – to third parties. The latter is unforgivable in terms of HIPAA compliance.
The Advocate Aurora is not the only one. Similar data incidents have already occurred before. For example, Novant Health exposed 1.3 million patients’ data to Google and Meta this August using their tracking tools. Sephora case, which we described in detail in our post, “CCPA sowed its teeth. 1,2 million fine for selling Californians’ Data”, also demonstrates how tricky are the tracking technologies.
As HIPAA demands, the company launched an initial investigation to determine what patients’ ePHI was disclosed and the extent of the damage of the data leak. The company has decided to assume that all patients may have been affected by the data leak. Namely, sensitive information at risk included patients’ medical providers, IP addresses, dates and locations of scheduled appointments, and many other sensitive data about 3 million patients. The investigation is still ongoing, and Advocates Aurora encouraged patients to review their financial accounts and immediately report any suspicious, unrecognized, or inaccurate activity.
It is not yet clear whether the patient’s actions, such as a choice of browser, browser configuration, cookie usage, and Facebook or Google accounts, played a role in the data exposure. The company also believes the “pixels” would be very unlikely to result in identity theft or any financial harm since it has no evidence of misuse or incidents of fraud stemming from this incident.
Although Advocate Aurora’s notice statement assured the “pixels” would unlikely cause substantial harm, the patients’ reaction was not long in coming. A patient affected by the incident has sued the healthcare system in a class-action lawsuit. He claims that the patient portal he used to communicate with his doctors at Advocate Aurora and schedule appointments used a pixelated code that shared this sensitive information with third parties, namely Google and Facebook. The incident victim alleges that the parties of the incident were aware that personal data was not protected but took no action to resolve the issue.
Whenever a patient uses Advocate’s websites and applications, both the health system and third-party companies intercept, transmit, and use ePHI without the patient’s knowledge, consent, or authorization. Thus, using the “pixel” technology and allowing third-party vendors to track patient browsing trends shows the lack of data security Advocate Aurora had for its patients.
The main lesson learned from Advocate Aurora’s case is to be aware of with whom you share ePHI. Before entrusting sensitive data to tracking technologies, ensure no ePHI will be disclosed and no HIPAA Rules will be broken.
The right way to ensure HIPAA compliance is to sign BAA with third parties. However, not all third parties are ready to sign BAA. Let’s see what Google says about this in its HIPAA disclaimer:
Google does not intend to use Google Analytics to create obligations under the HIPAA and makes no representations that Google Analytics satisfies HIPAA requirements unless otherwise specified in writing by Google. If you are (or become) a Covered Entity or Business Associate under HIPAA, you may not use Google Analytics for any purpose or in any manner involving Protected Health Information unless you have received prior written consent to such use from Google.
In plain language, Google states that Google Analytics doesn’t satisfy HIPAA requirements and you can’t use it for any purpose involving ePHI. To use analytics platforms to collect and process ePHI, you must sign BAA with the vendor. Google doesn’t give you this option, and there are, at a minimum, two reasons for this.
First, Google Analytics doesn’t offer on-premises hosting and data residency of your choice. It means all data the platform tracks are stored in randomly assigned data centers. These data centers may be both within and outside the US. Thus, by providing data to Google Analytics, you break HIPAA’s data accountability principle because you don’t know your patients’ exact data location.
Second, Google Analytics uses data to measure the effectiveness of advertising and personalize content and ads. Google’s terms & conditions describe in detail how it uses tracked data. And we know for sure that using any ePHI in an advertising context is a serious HIPAA violation.
How Google Analytics was used in Advocate Aurora is still unclear. So we should wait for the results of the internal investigation and the class-action lawsuit. However, Google Analytics does not satisfy HIPAA requirements. As a result, if you pass any trace of ePHI into Google Analytics, you’re breaking HIPAA regulations.
For more information on HIPAA compliance, contact Planet 9. We’ll be happy to assist!