Analytics Code May Have Leaked Personal Health Data
The Advocate Aurora Health (AAH) network, which operates in Wisconsin and Illinois, has reported a data breach to the US Department of health and Human Services (HHS) Office of Civil Rights. AAH says that the analytics code it was using on its online portals may have leaked patient data to third parties, including Meta and Google. The incident affects three million individuals.
There has been a lot of movement in recent years by software architects to include privacy as part of their DevOps requirements, but they don’t always understand the complexity of how much data is being leaked, or where it is being leaked to, in the tools that are used to maintain those web sites once they go production. This piece is a good one to use to show the CIO and get security expertise integrated into that aspect of DevOps.
The organization was using tracking services from Google, Facebook and others. Depending on how a user’s browser was configured and logged into the third-party services, obtained data may have included first and last names, dates, times and types of scheduled appointments or procedures and insurance information, underscoring the importance of knowing what data is shared when you're deploying tracking or other analytics supporting information on customer facing web sites. Keep in mind the data collected could fall into PII or PHI which can get you crossways with regulators and regulations (GDPR, CCPA, HIPAA, etc.) At a minimum, exclude them from pages where sensitive information is collected or displayed.
Read more in
Gov Infosecurity: Health Entity Says Tracking Code Breach Affects 3 Million
OCR Portal: Cases Currently Under Investigation