DaVita, a kidney care company, recently revealed they exposed data by using pixels.
What happened
DaVita, an Illinois-headquartered kidney care organization, recently released a notice of a data breach. The company offers dialysis, kidney care, and education to 11 countries, including the US, through partnerships with local hospitals and the use of their own centers. Other businesses under DaVita include the DaVita Venture Group, DaVita Integrated Kidney Care, DaVita Clinical Research, and DaVita Physician Solutions. It’s estimated the company serves over 200,000 patients with kidney disease.
According to their notice of a data breach, released July 2nd, DaVita determined that the company’s online tracking technology (also known as pixels) “may have transmitted personal information to certain… third party vendors when visitors accessed the health portal or mobile application.”
DaVita said pixels were used on their website health portal and their mobile application, Care Connect. Pixel usage was discovered on June 17th, 2024. These pixels, they said, are used to “understand how visitors interacted with our websites and mobile application.”
Information may have included: IP addresses, usernames, third parity identifiers/cookies, employment status, patient classification/reference, information indicating that you signed into a DaVita account or interacted with DaVita’s health portal or mobile application, some demographic information, and some lab information.
DaVita stressed that no passwords, Social Security numbers, financial information, or names were included (unless they were used as part of an individual’s username).
Why it matters
Pixels, which monitor user interaction to customize online engagement, became a significant concern in 2023 when it was revealed that Google and Meta may be using them for ad-related purposes. This would constitute a privacy violation under HIPAA.
Despite privacy concerns, many organizations are reliant on companies that use pixels for administrative tasks. Meanwhile, companies like Google and Meta have said privacy concerns are the responsibility of healthcare organizations.
In September, the OCR and FTC released a letter advising healthcare organizations to cease the use of pixels or face penalties. Some organizations faced fines, but recent reports estimate that 33% of healthcare websites still use pixel tracking.
Read more: OCR and FTC publicly release warning letter regarding pixels
What’s next
DaVita said that the company is conducting a “voluntary internal investigation in the use of these only tracking technologies” and would remove or disable technologies if they could not find a HIPAA compliant service to replace them. The company said they are also implementing new policies and additional training on the use of tracking technologies to prevent future incidents.
In response, DaVita may face a penalty or fine, but currently, there is no evidence that information has been misused.
Related: HIPAA Compliant Email: The Definitive Guide