Oops, web trackers may have leaked 3 million patients' info A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties. Advocate Aurora Health (AAH) reported the potential breach to the US government's Health and Human Services. As well as …
I have a hard time finding a wesite anymore which does not include calls to the google mothership. I include doubleclick in this assessment. Googletagmanager, google analytics, gstatic, googlesyndication, google captcha, and ???
My local healthcare monoploy also uses the mychart product. And they also have google code embedded. Par for the course.
Why is every failed policy described as 'robust'? Cunts.
I use the EMIS system but in a separate Firefox profile. I'd like to ask them how they can ensure the data they send to Google about me will not be combined with any other data Google has about me, given THEY have a duty to protect my data. But I know if I did they would simply laugh knowing I can just fuck off, and then send me a canned reply about how rigorous and robust their policies are, without actually answering my question.
More generally I delete all my cookies frequently, and use different profiles to separate my browsing. I also make extensive use of No Script, Adblock Plus and Ublock Origin. But I realise that once they know probably half a dozen of my frequent browsing sites (or that since brexit I now rarely use the BBC) that is enough to uniquely identify me as an individual, and their task is then only to get my financial details and they will be happy.
NEVER USE PHONE APPS. You have to allow too much access to your phone and are essentially giving them this info on a plate. Just use websites.
Did I say, cunts?
Certainly it was an error but this is the modern "let's get a website running" world - saying that "You should be put out of business!!" is like saying you need to sell your house if you forget to lock the front door and lose your TV to a thief. If you were working with the health care industries (I do) then you would know that their maximum concerns are always the health of the patients that they are working with.
This type of data theft is normal these days, it's the environment that Google has created to be "healthy" (for Google, not you).
their maximum concerns are always the health of the patients profits
FTFY
The information passed to these trackers is on the consumers side private/personal and on the website owners commercially valuable/sensitive. There is zero reason to pass this to a 3rd party 'to see how people use our services'. Any website owner can get a huge chunk of this information passively from server logs with no additional capturing required. If more detail is needed / application is designed in a way that server logs are not useful there are multiple strategies available up to embedding tracking scripts that send data back to YOUR OWN server for further analysis.
But doing that would require time/money, so let's embedded a google tag - Google can do what they like with our visitors data as long as they give us back some pretty graphs.
It seems a bit sad that even organisations who criticise mass data theft/aggregation also use google/meta tech for "performance optimisation".
Basically, the old fashioned "please tell us how ourr site performs" questionnaire doesnt exist anywhere anymore, except in some sort of after the act post processing like on the bottom of microsoft or other support pages the occasional "was this helpful ?/did you find what you searched for?" question.
Its so nice that you can tell google/meta what you dont want to collect yourself AFTER the pixel/whatevertech has grabbed everything it could but as soom as anything is transmitted, i would not count on the data aggregators honesty to delete evrrything you dont want to have transferred back to you.
So why does this performance-o-mania still exist ? Nobody able to send, lets say, some kind of ping/live bit to check wether your site is down or not ?
""We learned that pixels or similar technologies installed on our patient portals … transmitted certain patient information to the third-party vendors that provided us with the pixel technology,""
You're saying that, in an intrinsically sensitive data environment, you didn'y bother to verify the funtionality of your portals? Taking for granted whatever a third party web dev delivers is not sufficient, particularly as said third party web devs are in the habit of not verifying the functionality of the fourth party or library widgets they apply to commissioned sites.
In some manger's office the reaction was "Ooh! Shiny! Put that into production right away!" without asking any questions about whether the site was HIPPA-compliant.
I had software vendors issue upgrades/updates/patches back in the '90s that blew our HIPPA policies out of the water which, then, had to be re-implemented. It appears the idjits STILL haven't learned.
Right here in the UK - it has access to my medical records and looking at it right now has trackers for "doubleclick.net", "google-analytics.com" and "googletagmanager.com". If I want to book an appointment with my GP I have no option but to use this site.
If I click on a record in my medical history, select the ailment and click "more info" it takes me to another page from "patient.info", which is run by the same organisation. This has twelve trackers - amazon, criteo, "id5-sync.com" who "operate an identity platform for the digital advertising industry", and quite a number of cookies.
The link includes the name of the ailment in the URL. As the bulk of referrals to this page will come from the "patient access" medical records page, any tracker on this page can make a very safe guess about the medical conditions of the visitor. Oh, and note all this information is available to the tracker before I have made any statement on cookie preferences (not that I feel I should have to in these circumstances).
An enterprising journalist might be able to get some mileage out of this.
In a similar fashion many UK GP Practices use https://www.practicewebsites.co.uk/ which is run by https://oldroydpublishinggroup.co.uk/
The Practice websites provided by this company include optional local advertising (to reduce the price for the Practice), I'm sure there is some degree of tracking as part of this.
I successfully complained to my GP Practice 3 years ago about the use of Google Analytics and other trackers - they did remove Google Analytics at the time but I just checked their website now and the buggers have added it back since then.
Practice websites hosted by the above company also seem to auto-generate Privacy Notices and at the time I pointed out numerous mistakes in them to the Practice - quoting laws that do not apply in Northern Ireland (English company, what do you expect), as well as some instances of "[insert org name here]" that showed how much care the Practice took of ensuring their various Privacy Notices were accurate...
"The link includes the name of the ailment in the URL. As the bulk of referrals to this page will come from the "patient access" medical records page, any tracker on this page can make a very safe guess about the medical conditions of the visitor."
I made exactly the same point regarding the Practice's website with its Google Analytics and other trackers. The response I received (which seems to have come from the company) was:
>>The ICO advisor we discussed this with said that, whilst the logging of the IP address of a website visitor and that they visited a page about a health condition would be enough to identify that the individual visited said page, it would not be enough to show this visit related to a condition that the individual themselves had, so it would be unlikely to class as special category data.<<
"An enterprising journalist might be able to get some mileage out of this."
I have been trying to get TheReg interesting in my ongoing battle with the Health Service in Northern Ireland regarding their large-scale and ongoing breach of Data Protection law since 2011 regarding the sharing of individuals' GP Practice records. However the Reg journalist in question didn't respond to my last email of August last year and so I stopped sending him further updates and revealing documents. I guess he lost interest as it was taking too long for me to expose things.
I'm still in a Kafka-esque situation where an org won't delete my health data (shared by my GP Practice) from a central system as the org claim (in 2022) they are only a Data Processor and only my GP Practice, as the Data Controller, can instruct them to delete said data, yet my GP Practice have told the ICO that they instructed said org to delete my data in 2020 and the org refused as "the data could not be removed and the pathway by which data could be removed was not established".
ICO are taking no action against my GP Practice (for losing control of their Data Processor) and have not yet decided whether to take action against the other org (a Data Processor refusing to follow a direct instruction from the Data Controller).
Why in the fucking name of fuck would any organization, much less a health care organization, send any personally identifying or healthcare data to Fuckerberg?!? Yes, google-analytics is ubiquitous, and it makes some sort of twisted sense that a shit-fer-brains, knuckle-dragging, semi-comatose web "programmer" would just automatically hook google-analytics up to any website s/he creates. (Doesn't make it right, but since when has that gotten in the way of profits?) But Fuckerberg?
Un! Believable!
AAH is a US Corporation, and is subject to HIPAA. If ever there was a prima facie violation of HIPAA regs, this has to be Exhibit A. One should expect prosecutions and jail time forthwith!
Wait...What? This is the Good Ol' USofA, donchano. Prosecutions of Corporations for privacy violations? Shirley, you jest!
Yes, these trackers are terrible and definitely a violation of the kind of privacy any patient should expect. But I think we are focusing on a single tree here, and possibly missing the bigger picture.
But think about the situation for a moment. Do you really think that your physician's office, or even the hospital created their own website? Hell no, they contacted the creation and operation of "their" site to a third party, hopefully one with some expertise.
Whenever you interact with a site like that, you are freely giving your personal health information to whoever or whatever actually runs that site. Under HIPAA, this means they are relieved of ANY restrictions on what they can subsequently do with the information.
The only hope a patient has in this situation, and it is a slim reed indeed, is to hope that the contract between the medical provider and the website operator includes language that passes the HIPAA requirements on to them. Ho Ho HO (to rush the season, a bit)!
I am certain that there is a financial advantage to the health care provider is they fail to include such language - the patient becomes the product, and they get a big discount on the cost of creating and operating the site.
It would be very nice to be wrong about this, but I'll bet I'm not.
So, the big boys (Meta, Google, TikTok - who ever else is offering these beacons) are only the big end of the pool. There must be literally thousands of small organizations with the same or greater access to patient information without any monitoring or restriction at all.
In my initial post I claimed a local healthcare monopoly. Technically incorrect, they have only about 85-95% of the market depending on when you check the stats. The majority of the others belong to a neighboring area's near monopoly. This is probably an off the record agreement to allow each others' areas to be clear of monopoly status.
The vast majority of general practitioners are part of the parent's organization's "physician group". Specialists are part of the "physician group specialists" (Creative are they not?)
So I step back and look to see thet most of the providers and facilities sport the sort of pale sea green banded pyramid logo which is the brand. There is a bit of the neighboring near monoploy's purple letters on white logo but only enough to show a monopoly doe not exist.
I look a bit closer to see that the local near monopoly joined another group whose headquarters are about 500 miles distant and membership spans multiple states. But each member organization seems to retain their local identity with the overarching organization name or initials prefixed to their own.
These large regional healthcare organizations came about due to the health insurance companies having too much rate negotiating power compared to the small providers. So the small providers had to join larger organizations in order to equalize the power equation.
This means there is no "small" provider who cannot afford the proper security of their web presence or online portals. Mychart is a product of EPIC systems, specializing in healthcare portals. With a name like that . . .
Meta intentionally euphemized their data-rape malware code as "Meta Pixel" to make it sound harmless, and various journalists unquestioningly swallowed that euphemism down whole, and used that euphemism in their articles, so that's what the public will (confusedly) call it.
Meta's strategy was achieved!
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2023
