Banner

Article

Tracking online users can lead to improper disclosures of patient data

It’s common in health care to use third-party software, but exposing information prompts a warning from HHS’ cybersecurity agency.

© Health Sector Cybersecurity Coordination Center

Patient data disclosures have prompted a new bulletin by the Health Sector Cybersecurity Coordination Center within the U.S. Department of Health and Human Services.

It’s nice to know patient information is secure when patients visit websites of physicians and other health care providers.

But that’s not always happening when third-party software providers track health information and personal data about the people using websites and apps of doctors, hospitals, and health systems.

The warning came in the latest report published this month by the Health Sector Cybersecurity Coordination Center (HC3), within the U.S. Department of Health and Human Services. HC3 also published a sector alert on an emerging threat to software used in the health care and public health sectors.

Data analytics

Use of third-party providers is common in health care, including for health-related mobile applications. “Website owners use the data gathered by web analytics providers to learn how to best engage with their customers,” the bulletin said.

Common software includes programs from Adobe Analytics, Clicky, Google Analytics, Hotjar, Kissmetrics, and Mixpanel, according to HC3.

But analyzing web user data “can expose personally identifiable information (PII) and protected health information (PHI) without user knowledge or consent,” the bulletin said. There already have been millions of improper disclosures of patient records, prompting the HC3 bulletin.

The agency did not refer specifically to one case that made national news last year when a news report claimed Facebook parent company Meta wrongly tracked patient information. A federal lawsuit followed claiming that happened on at least 664 hospital systems or medical provider websites. Since then class action lawsuits have been filed around the nation alleging similar claims against various health systems, according to news reports.

What to do

HC3 recommended the following actions to safeguard patient information:

  • Health care entities should have a “Business Associate Agreement” with website metric providers such that the website metric providers agree to follow protection standards of the federal Health Insurance Portability and Accountability Act.
  • Tracking software should be configured to limit access only to data within the scope of agreement.
  • All data used by third-party web metrics providers should be anonymized and encrypted prior to analysis.

Another threat emerges

HC3 this week published a sector alert on hackers attacking Veeam Backup & Replication (VBR) software. It is used to back up, replicate, and restore data on virtual machines.

It also is used to protect and restore files and applications in Microsoft Exchange and SharePoint, which are used in health care programs, and in Oracle and Microsoft SQL databases.

HC3 recommended upgrading earlier VBR software and other security patches.

The threat emerged in March 2023, when researchers identified hacker attacks carried out by FIN7, a financially motivated hacking group. First discovered in the mid-2010s, the U.S. Department of Justice has targeted FIN7 for massive computer breaches involving nationally known restaurants and retailers. By 2018, a Wired magazine report claimed FIN7 had set up a front company known as Combi Security to pilfer more than $1 billion from companies around the world.

At least three high-level organizers of FIN7 have been arrested, extradited to the United States, and sentenced to prison for their roles in the cybercrimes, according to the U.S. Department of Justice.

Related Videos
Jay W. Lee, MD, MPH, FAAFP headshot | © American Association of Family Practitioners