Community Health Network Confirms Unauthorized Disclosure of Patients’ Information

Richard Console, Jr.
Console and Associates, P.C.
Contact
LinkedIn
Facebook
X
Send
Embed

On November 18, 2022, Community Health Network reported a data breach with the U.S. Department of Health and Human Services Office for Civil Rights (“HHS-OCR”) after learning that third-party tracking technologies used to monitor website visitors’ interactions disclosed sensitive data to unauthorized parties. According to Community, the breach resulted in certain patients’ protected health being compromised. Recently, Community sent out data breach letters to all affected parties, informing them of the incident and what they can do to protect themselves from identity theft and other frauds.

As a patient of Community Health Network, you trust that the organization will keep your personal and health-related information private. However, as a part of Community Health Network’s marketing efforts, it used tracking technology that may have passed your information along to unauthorized parties. As we’ve discussed in prior posts, healthcare providers have a legal duty to protect patients’ protected health information. By disclosing your information without your consent, Community Health Network may violate this duty. However, depending on what evidence the ongoing investigation turns up, you may have a right to pursue a claim against the Community Health Network.

What We Know About the Community Health Network Data Breach

The available information regarding the Community Health Network breach comes from the company’s filing with the U.S. Department of Health and Human Services Office for Civil Rights, as well as notice posted on the company’s website. According to these sources, as early as April 2017, Community Health Network used certain technology called pixels which enabled the organization to track the activity of those who visited the Community Health Network website. These pixels collect and disclose certain information about visitors and how they interact with the organization’s website.

However, in light of recent concerns about the use of pixels in the healthcare context, Community Health Network launched an internal investigation to determine whether the organization’s use of pixels compromised patient data. The Community Health Network confirmed that third-party tracking technologies were installed on its website, including the MyChart patient portal, and on some of its appointment scheduling sites.

In response, Community Health Network disabled all tracking technologies and then continued the investigation in hopes of learning what, if any, patient data was subject to unauthorized access as a result. On September 22, 2022, Community Health Network learned that the pixels used by the organization were transmitting a greater array of data than Community intended.

Upon discovering that sensitive consumer data was potentially made accessible to unauthorized parties, Community Health Network began to review the affected files to determine what information was compromised and which consumers were impacted. While the breached information varies depending on the individual, it may include the following:

  • User’s IP address;

  • Dates, times, and locations of scheduled appointments;

  • Information about the patient’s provider;

  • Type of appointment or procedure scheduled;

  • Communications between a patient and others through MyChart;

  • First name and last name;

  • Medical record number;

  • Email address;

  • Phone number;

  • Contact information entered into Emergency Contacts or Advanced Care Planning;

  • Information about whether a patient had insurance;

  • Proxy name and contact information; and

  • Website button and menu selections.

On November 18, 2022, Community Health Network sent out data breach letters to all individuals whose information was compromised as a result of the recent data security incident. The company sent these letters to approximately 1.5 million people, including anyone who visited a Community Health Network on or after April 6, 2017, which is the date the company began using the tracking technology.

Community Health Network is a healthcare services provider based in Indianapolis, Indiana. Community Health Network provides a wide range of services, with over 100 locations across Indiana, including physicians’ offices, specialty and acute care hospitals, surgery centers, home care services, MedChecks, behavioral health and employer health services. Community Health Network employs more than 16,000 people and generates approximately $1 billion in annual revenue.

Send Print Report

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Console and Associates, P.C. | Attorney Advertising

Written by:

Console and Associates, P.C.
Console and Associates, P.C.
Contact
more
less

Console and Associates, P.C. on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
Sign Up Log in
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide