Data breach in Advocate Aurora Health system may have exposed up to 3M patients’ information

/in


A data breach in the Advocate Aurora Health hospital system may have exposed up to 3 million of Wisconsin and Illinois patients’ personal health information to outside companies like Google and Facebook.

Advocate Aurora is the largest health care provider in the state, with 17 hospitals across Wisconsin. Health care organizations, hospitals and clinics are subject to the federal Health Insurance Portability and Accountability Act, or HIPAA, law, which protects people’s personal health information. 

The hospital system uses online tracking technologies like Google and Facebook and its “pixels” — or tiny bits of code or images — that collect data on users and the information they see on a page, which made its platform vulnerable to attack, according to its notice this week. Those pixels were on “patient portals” through its MyChart and LiveWell websites and applications, which track and send data on users to third-parties.

“These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident,” the statement said. “Nevertheless, we always encourage patients to regularly review their financial accounts and report any suspicious, unrecognized or inaccurate activity immediately.”

The information at risk includes patients’ medical providers, IP addresses, dates and locations of scheduled appointments, among other sensitive materials. The health system alerted the Department of Health and Human Services on Friday, the Associated Press reported

Advocate Aurora has disabled its use of pixels from its platforms. In its notice, the company said no Social Security or financial information was breached.

University of Wisconsin-Madison computer science professor Paul Barford, an expert in Internet security, was shocked a health care application would use pixels on its page.  

“It’s a real surprise that a commercial entity that is interacting with people related to their health, would think that this is something that’s reasonable, and proceed with it,” he said. 

The organization said it’s “not aware of any misuse of information arising from this incident,” but urges patients to take…

Source…