Atrium Health has disclosed a data breach affecting over 585,000 individuals, linked to third-party tracking technologies on its patient portal.
Atrium Health, a prominent healthcare provider, has informed the U.S. Department of Health and Human Services (HHS) of a data breach that affects more than 585,000 individuals. While HHS has not disclosed specific details about the incident, the breach appears tied to the use of online tracking technologies in the company’s patient portal between 2015 and 2019.
Atrium Health revealed that these tracking technologies, including tools from Google and Facebook (now Meta), were intended to enhance user experience on its MyAtriumHealth and MyCarolinas patient portals. However, the company has discovered that these tools may have inadvertently transmitted sensitive patient information to third parties.
An initial review conducted in 2022 found no significant issues. However, a subsequent, more in-depth analysis uncovered potential data exposure, leading Atrium Health to notify affected individuals and authorities.
In October 2024, healthcare providers faced scrutiny over their use of online tracking tools, posing privacy risks. This issue gained national attention two years ago when a Baltimore patient filed a class-action lawsuit against Meta Platforms, alleging that the company’s tracking technologies accessed patient information from health system websites and portals for targeted marketing purposes.
The lawsuit ignited a larger debate that reached Capitol Hill, prompting hearings and a response from the U.S. Department of Health and Human Services (HHS). As a result, the HHS developed new tracking rules while facing legal pushback from the American Hospital Association (AHA).
Go deeper: The hidden risks of third-party data sharing on healthcare websites
“These commonly used internet technologies were utilized to help operate certain features of our Patient Portal and enhance the online experience for users. We have learned that, during this time frame, these technologies may have transmitted certain personal information to third-party vendors, such as Google and Facebook (now Meta),” Atrium explained to affected individuals in a Notice of Privacy Matter.
The company acknowledged it is unclear exactly what information was shared but noted that potential exposures could include IP addresses, cookies, treatment or provider details, names, email addresses, phone numbers, and physical addresses.
“Based on our review, no Social Security number, financial account, credit card, or debit card information was involved,” Atrium emphasized. “There is no evidence that any information that may have been shared with these third parties has been misused in any way. Moreover, the nature of the information that could have been collected would be very unlikely to result in identity theft or any financial harm.”
The disclosure raises concerns about the use of tracking technologies in healthcare platforms and their potential risks to patient privacy. While improving user experience, these tools may inadvertently compromise sensitive information if not properly managed.
See also: HIPAA Compliant Email: The Definitive Guide
Online tracking technologies, such as cookies and tracking pixels, are often used to enhance website functionality and user experience. However, in healthcare, these tools can inadvertently transmit sensitive patient information to third parties, violating privacy laws.
Organizations can reduce risk by implementing strong cybersecurity measures, regularly updating software, conducting employee training, auditing third-party vendors, and encrypting sensitive data.
The long-term risks depend on the type of data exposed. Personal information can be used for identity theft, while exposed medical records could lead to privacy violations or even discrimination in some cases.