back to article Oops, web trackers may have leaked 3 million patients' info

A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties. Advocate Aurora Health (AAH) reported the potential breach to the US government's Health and Human Services. As well as …

  1. hayzoos

    Google is all seeing

    I have a hard time finding a wesite anymore which does not include calls to the google mothership. I include doubleclick in this assessment. Googletagmanager, google analytics, gstatic, googlesyndication, google captcha, and ???

    My local healthcare monoploy also uses the mychart product. And they also have google code embedded. Par for the course.

    1. Pascal Monett Silver badge
      Coat

      Re: Google is all seeing

      That's why I like NoScript.

      Mine's the one with the browser that keeps my habits private.

      1. Greybearded old scrote Silver badge

        Re: Google is all seeing

        And Privacy Badger. Belt and braces.

      2. Vometia has insomnia. Again. Bronze badge

        Re: Google is all seeing

        So do I, but you get the likes of EMIS Patient Access which won't let you login if you don't play the Google RECAPTCHA game. I dread to think what else it rifles through, but probably everything.

        1. EnviableOne Silver badge

          Re: Google is all seeing

          and is now owned by UnitedHealth Group Inc

          1. Vometia has insomnia. Again. Bronze badge

            Re: Google is all seeing

            I'm not sure who they are offhand, but I suspect I can probably predict their nature in advance. :|

        2. RegGuy1 Silver badge

          Re: Google is all seeing

          Why is every failed policy described as 'robust'? Cunts.

          I use the EMIS system but in a separate Firefox profile. I'd like to ask them how they can ensure the data they send to Google about me will not be combined with any other data Google has about me, given THEY have a duty to protect my data. But I know if I did they would simply laugh knowing I can just fuck off, and then send me a canned reply about how rigorous and robust their policies are, without actually answering my question.

          More generally I delete all my cookies frequently, and use different profiles to separate my browsing. I also make extensive use of No Script, Adblock Plus and Ublock Origin. But I realise that once they know probably half a dozen of my frequent browsing sites (or that since brexit I now rarely use the BBC) that is enough to uniquely identify me as an individual, and their task is then only to get my financial details and they will be happy.

          NEVER USE PHONE APPS. You have to allow too much access to your phone and are essentially giving them this info on a plate. Just use websites.

          Did I say, cunts?

          1. MrReynolds2U
            Happy

            Re: Google is all seeing

            In reference to cunts... sometimes that's the only word that really conveys how you are feeling.

            With all the changes recently, thank fuck we can still swear on here.

  2. BPontius

    Goodbyeeeeee

    In what reality did putting Google, Meta or any other trackers on the website with HIPPA protected information seemed like a good idea?!?!? Unbelievable!!

    You should be put out of business!!

    1. Version 1.0 Silver badge
      Meh

      Re: Goodbyeeeeee

      Certainly it was an error but this is the modern "let's get a website running" world - saying that "You should be put out of business!!" is like saying you need to sell your house if you forget to lock the front door and lose your TV to a thief. If you were working with the health care industries (I do) then you would know that their maximum concerns are always the health of the patients that they are working with.

      This type of data theft is normal these days, it's the environment that Google has created to be "healthy" (for Google, not you).

      1. SloppyJesse

        Re: Goodbyeeeeee

        their maximum concerns are always the health of the patients profits

        FTFY

        The information passed to these trackers is on the consumers side private/personal and on the website owners commercially valuable/sensitive. There is zero reason to pass this to a 3rd party 'to see how people use our services'. Any website owner can get a huge chunk of this information passively from server logs with no additional capturing required. If more detail is needed / application is designed in a way that server logs are not useful there are multiple strategies available up to embedding tracking scripts that send data back to YOUR OWN server for further analysis.

        But doing that would require time/money, so let's embedded a google tag - Google can do what they like with our visitors data as long as they give us back some pretty graphs.

        1. Version 1.0 Silver badge
          Happy

          Re: Goodbyeeeeee

          Fair enough for all those down-votes - I should have documented that I work with the Physical Therapists and Kinesiologists, not the damn management. I'm not pissed, all votes are helpful when you read all the rest of the comments.

  3. Kevin McMurtrie Silver badge

    Nobody cares

    Kaiser Permanente has been doing this for a very long time. I reported it as a HIPPA violation and nothing happened. That had followed nothing happening when I reported Kaiser Santa Clara for giving my personal information to an SMS scammer, which they admitted to be doing.

    1. Shalghar Bronze badge

      Re: Nobody cares

      It seems a bit sad that even organisations who criticise mass data theft/aggregation also use google/meta tech for "performance optimisation".

      Basically, the old fashioned "please tell us how ourr site performs" questionnaire doesnt exist anywhere anymore, except in some sort of after the act post processing like on the bottom of microsoft or other support pages the occasional "was this helpful ?/did you find what you searched for?" question.

      Its so nice that you can tell google/meta what you dont want to collect yourself AFTER the pixel/whatevertech has grabbed everything it could but as soom as anything is transmitted, i would not count on the data aggregators honesty to delete evrrything you dont want to have transferred back to you.

      So why does this performance-o-mania still exist ? Nobody able to send, lets say, some kind of ping/live bit to check wether your site is down or not ?

      1. Greybearded old scrote Silver badge

        Re: Nobody cares

        Well they tell themselves it's for performance. In reality the web is typically at least as slow as back in the dial-up era, if not worse.

    2. Cederic Silver badge

      Re: Nobody cares

      Perhaps try reporting it as a HIPAA violation instead?

  4. Mike 137 Silver badge

    So nobody checked

    ""We learned that pixels or similar technologies installed on our patient portals … transmitted certain patient information to the third-party vendors that provided us with the pixel technology,""

    You're saying that, in an intrinsically sensitive data environment, you didn'y bother to verify the funtionality of your portals? Taking for granted whatever a third party web dev delivers is not sufficient, particularly as said third party web devs are in the habit of not verifying the functionality of the fourth party or library widgets they apply to commissioned sites.

    1. Anonymous Coward
      Anonymous Coward

      Re: So nobody checked

      Web devs clearly love using Google stuff, it's easy to implement and it sounds serious. Besides, what's good for a commercial website can't be bad for a healthcare one, can it.

      1. FlamingDeath Silver badge

        Re: So nobody checked

        They're called script kiddies, copy paste devs, they never RTFM

        1. RegGuy1 Silver badge

          Re: So nobody checked

          There's a manual?

    2. EnviableOne Silver badge

      Re: So nobody checked

      basically, they are saying:

      "So we put some trackers on our website to find out how it was getting used and forgot to read the manual to see what data they actually collected, but it's not our fault it's those evil Megacorps"

      1. rnturn

        Re: So nobody checked

        In some manger's office the reaction was "Ooh! Shiny! Put that into production right away!" without asking any questions about whether the site was HIPPA-compliant.

        I had software vendors issue upgrades/updates/patches back in the '90s that blew our HIPPA policies out of the water which, then, had to be re-implemented. It appears the idjits STILL haven't learned.

  5. Anonymous Coward
    Anonymous Coward

    patientaccess.com

    Right here in the UK - it has access to my medical records and looking at it right now has trackers for "doubleclick.net", "google-analytics.com" and "googletagmanager.com". If I want to book an appointment with my GP I have no option but to use this site.

    If I click on a record in my medical history, select the ailment and click "more info" it takes me to another page from "patient.info", which is run by the same organisation. This has twelve trackers - amazon, criteo, "id5-sync.com" who "operate an identity platform for the digital advertising industry", and quite a number of cookies.

    The link includes the name of the ailment in the URL. As the bulk of referrals to this page will come from the "patient access" medical records page, any tracker on this page can make a very safe guess about the medical conditions of the visitor. Oh, and note all this information is available to the tracker before I have made any statement on cookie preferences (not that I feel I should have to in these circumstances).

    An enterprising journalist might be able to get some mileage out of this.

    1. RegGuy1 Silver badge

      Re: patientaccess.com

      Part of my /etc/hosts file:

      127.0.0.1 google-analytics.com

      127.0.0.1 googletagmanager.com

      127.0.0.1 doubleclick.net

      127.0.0.1 securepubads.g.doubleclick.net

      127.0.0.1 www.google-analytics.com

      127.0.0.1 www.googletagmanager.com

      127.0.0.1 fonts.googleapis.com

    2. Anonymous Coward
      Anonymous Coward

      Re: patientaccess.com

      In a similar fashion many UK GP Practices use https://www.practicewebsites.co.uk/ which is run by https://oldroydpublishinggroup.co.uk/

      The Practice websites provided by this company include optional local advertising (to reduce the price for the Practice), I'm sure there is some degree of tracking as part of this.

      I successfully complained to my GP Practice 3 years ago about the use of Google Analytics and other trackers - they did remove Google Analytics at the time but I just checked their website now and the buggers have added it back since then.

      Practice websites hosted by the above company also seem to auto-generate Privacy Notices and at the time I pointed out numerous mistakes in them to the Practice - quoting laws that do not apply in Northern Ireland (English company, what do you expect), as well as some instances of "[insert org name here]" that showed how much care the Practice took of ensuring their various Privacy Notices were accurate...

      "The link includes the name of the ailment in the URL. As the bulk of referrals to this page will come from the "patient access" medical records page, any tracker on this page can make a very safe guess about the medical conditions of the visitor."

      I made exactly the same point regarding the Practice's website with its Google Analytics and other trackers. The response I received (which seems to have come from the company) was:

      >>The ICO advisor we discussed this with said that, whilst the logging of the IP address of a website visitor and that they visited a page about a health condition would be enough to identify that the individual visited said page, it would not be enough to show this visit related to a condition that the individual themselves had, so it would be unlikely to class as special category data.<<

      "An enterprising journalist might be able to get some mileage out of this."

      I have been trying to get TheReg interesting in my ongoing battle with the Health Service in Northern Ireland regarding their large-scale and ongoing breach of Data Protection law since 2011 regarding the sharing of individuals' GP Practice records. However the Reg journalist in question didn't respond to my last email of August last year and so I stopped sending him further updates and revealing documents. I guess he lost interest as it was taking too long for me to expose things.

      I'm still in a Kafka-esque situation where an org won't delete my health data (shared by my GP Practice) from a central system as the org claim (in 2022) they are only a Data Processor and only my GP Practice, as the Data Controller, can instruct them to delete said data, yet my GP Practice have told the ICO that they instructed said org to delete my data in 2020 and the org refused as "the data could not be removed and the pathway by which data could be removed was not established".

      ICO are taking no action against my GP Practice (for losing control of their Data Processor) and have not yet decided whether to take action against the other org (a Data Processor refusing to follow a direct instruction from the Data Controller).

  6. Someone Else Silver badge

    Why in the fsck...

    Why in the fucking name of fuck would any organization, much less a health care organization, send any personally identifying or healthcare data to Fuckerberg?!? Yes, google-analytics is ubiquitous, and it makes some sort of twisted sense that a shit-fer-brains, knuckle-dragging, semi-comatose web "programmer" would just automatically hook google-analytics up to any website s/he creates. (Doesn't make it right, but since when has that gotten in the way of profits?) But Fuckerberg?

    Un! Believable!

    AAH is a US Corporation, and is subject to HIPAA. If ever there was a prima facie violation of HIPAA regs, this has to be Exhibit A. One should expect prosecutions and jail time forthwith!

    Wait...What? This is the Good Ol' USofA, donchano. Prosecutions of Corporations for privacy violations? Shirley, you jest!

    1. John Brown (no body) Silver badge

      Re: Why in the fsck...

      "Why in the fucking name of fuck would any organization, much less a health care organization, send any personally identifying or healthcare data to Fuckerberg?!?"

      Probably because they get the analytics for free, the data being grabbed is the value that FB want.

  7. wub

    Step back and look at the forest!

    Yes, these trackers are terrible and definitely a violation of the kind of privacy any patient should expect. But I think we are focusing on a single tree here, and possibly missing the bigger picture.

    But think about the situation for a moment. Do you really think that your physician's office, or even the hospital created their own website? Hell no, they contacted the creation and operation of "their" site to a third party, hopefully one with some expertise.

    Whenever you interact with a site like that, you are freely giving your personal health information to whoever or whatever actually runs that site. Under HIPAA, this means they are relieved of ANY restrictions on what they can subsequently do with the information.

    The only hope a patient has in this situation, and it is a slim reed indeed, is to hope that the contract between the medical provider and the website operator includes language that passes the HIPAA requirements on to them. Ho Ho HO (to rush the season, a bit)!

    I am certain that there is a financial advantage to the health care provider is they fail to include such language - the patient becomes the product, and they get a big discount on the cost of creating and operating the site.

    It would be very nice to be wrong about this, but I'll bet I'm not.

    So, the big boys (Meta, Google, TikTok - who ever else is offering these beacons) are only the big end of the pool. There must be literally thousands of small organizations with the same or greater access to patient information without any monitoring or restriction at all.

    1. hayzoos

      Re: Step back and look at the forest!

      In my initial post I claimed a local healthcare monopoly. Technically incorrect, they have only about 85-95% of the market depending on when you check the stats. The majority of the others belong to a neighboring area's near monopoly. This is probably an off the record agreement to allow each others' areas to be clear of monopoly status.

      The vast majority of general practitioners are part of the parent's organization's "physician group". Specialists are part of the "physician group specialists" (Creative are they not?)

      So I step back and look to see thet most of the providers and facilities sport the sort of pale sea green banded pyramid logo which is the brand. There is a bit of the neighboring near monoploy's purple letters on white logo but only enough to show a monopoly doe not exist.

      I look a bit closer to see that the local near monopoly joined another group whose headquarters are about 500 miles distant and membership spans multiple states. But each member organization seems to retain their local identity with the overarching organization name or initials prefixed to their own.

      These large regional healthcare organizations came about due to the health insurance companies having too much rate negotiating power compared to the small providers. So the small providers had to join larger organizations in order to equalize the power equation.

      This means there is no "small" provider who cannot afford the proper security of their web presence or online portals. Mychart is a product of EPIC systems, specializing in healthcare portals. With a name like that . . .

  8. Anonymous Coward
    Anonymous Coward

    What harm can a pixel do?

    If media didn't refer to pixels rather than data rape malware code, users might get the idea this shit isn't safe. The register included.

    1. An_Old_Dog Silver badge

      Re: What harm can a pixel do?

      Meta intentionally euphemized their data-rape malware code as "Meta Pixel" to make it sound harmless, and various journalists unquestioningly swallowed that euphemism down whole, and used that euphemism in their articles, so that's what the public will (confusedly) call it.

      Meta's strategy was achieved!

  9. Anonymous Coward
    Anonymous Coward

    "Usual data breach letter, please"

    I got a letter from one of my providers with exactly the same confession - it looks like a form letter, possibly provided by the portal vendor. It does not offer any compensation, just the usual hand-wringing.

    1. ThatOne Silver badge
      Devil

      Re: "Usual data breach letter, please"

      It just says they take the security of your data very seriously, doesn't it?

  10. Claptrap314 Silver badge

    Looks like

    My adamant refusal to have anything to do with MyChart was more justified than just my in principle objection to the use of such "portal"s.

  11. MrReynolds2U

    "AAH's... robust technology vetting process"

    Doesn't seem to be living up to that claim so far.

POST COMMENT House rules

Not a member of The Register? Create a new account here.

  • Enter your comment

  • Add an icon

Anonymous cowards cannot choose their icon

Other stories you might like