Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures

Posted by HIPAA Journal

Mount Nittany Health, a community healthcare provider and operator of the 260-baed Mount Nittany Medical Center in State College, Pennsylvania, is being sued over the alleged use of tracking code on its website and the impermissible disclosure of sensitive patient data to third parties such as Google and Facebook.

A recently published study indicates 99% of U.S. hospitals have used tracking code on their websites that collects the data of users as they navigate the website. The code is typically used to analyze website usage with a view to improving websites and services. The data collected is transmitted to the providers of that code and can be made available to third parties such as advertisers and is often used for serving targeted adverts and for other marketing purposes. Several health systems and hospitals have reported breaches of patient information due to the use of the code over the past few months, including Community Health Network, WakeMed Health and Hospitals, Advocate Aurora Health, and Novant Health, and lawsuits have been filed across the country in response to these disclosures, which are generally not permitted under the Health Insurance Portability and Accountability Act (HIPAA).

The Mount Nittany Health lawsuit was filed in Centre County Court in Pennsylvania on behalf of two unnamed plaintiffs, John and Jane Doe, by attorney George Bochetto of the law firm Bochetto & Lentz. The lawsuit claims the sensitive information of website visitors was collected via code such as Meta Pixel and was transferred to Meta and other third parties without the knowledge or consent of website users.

The code transferred personally identifiable information and information gathered from actions taken on the websites, from which it can be inferred that an individual was a patient of the medical center or was being treated for a specific medical condition. That information is used to sell advertising, and the website owners that install the code are provided with information about ads they have placed on social media networks such as Facebook and Instagram and are able to target individuals who visited their website with advertising.

The lawsuit alleges Mount Nittany Health is continuing to use tracking code on its website and has not notified individuals about the impermissible disclosures. At present, there is no notice on Mount Nittany Health’s website about a tracking code-related data breach and no data breach is listed on the HHS’ Office for Civil Rights breach portal. The lawsuit alleges invasion of privacy, breach of duty of confidentiality, unjust enrichment, and violations of the Wiretapping and Electronic Surveillance Control Act and seeks $1 million in damages.

The post Mount Nittany Health Sued Over Alleged Website Tracking Code PHI Disclosures appeared first on HIPAA Journal.

Veterans’ Healthcare Facility in Arizona Exposed Employees to Potentially Deadly Hazards

Posted by HIPAA Journal

A U.S. Department of Labor investigation of an Arizona Department of Veteran Affairs (VA) healthcare facility found workers had been put at risk by exposing them to potentially deadly hazards on steam lines. Employees were allowed to work on the steam lines without ensuring they followed the required safety procedures.

Federal agencies such as the VA are required to comply with the same safety and health standards as private sector employers that are covered by the Occupational Safety and Health (OSH) Act and must ensure that employees conduct their work duties safely and are not exposed to grave danger from hazards.

Federal safety inspectors visited the VA’s Prescott facility, operated by the Northern Arizona Veterans Affairs Health Care System, in October 2022 and determined that the facility lacked energy-isolating procedures known as lockout/tagout, which prevents the release of hazardous energy during the maintenance and servicing of steam lines. Employees were found to be using ad-hoc methods that did not meet Occupational Safety and Health Administration (OSHA) requirements. The inspectors also determined that the facility had failed to train workers on required safety procedures, thus exposing them to potentially fatal risks.

This is not the first time that a VA facility has failed to ensure proper procedures were followed when working on steam lines. Two years previously, an accident in the workplace at a Veterans Affairs Healthcare System facility in West Haven, CT, ended in tragedy. Two workers lost their lives after suffering fatal burns when working on steam lines. OSHA inspectors found similar failures to ensure safety procedures were followed.

OSHA inspectors determined there had been one willful violation and two repeated violations of health and safety regulations at the Prescott facility and issued three serious notices for exposing employees to burns and potentially fatal injuries. “Federal law requires all employers, public or private, to provide a safe workplace. Management at all Veterans Affairs facilities should review their employee safety and health programs to ensure they comply with industry and OSHA standards for isolating hazardous energy before another tragedy occurs,” said OSHA Area Director T. Zachary Barnett.

The VA has 15 days from receipt of the notices to comply, request a conference with the OSHA area director, or appeal the notices. Private sector companies would be liable to pay financial penalties of up to $315,875 for the violations.

The post Veterans’ Healthcare Facility in Arizona Exposed Employees to Potentially Deadly Hazards appeared first on HIPAA Journal.

DC Health Link Data Breach Caused by Human Error

Posted by HIPAA Journal

Further information has been released on the data breach at the Washington DC health insurance exchange, DC Health Link, ahead of a House Oversight Committee’s subcommittee on cybersecurity, information technology, and government innovation hearing today.

The data breach was detected by DC Health Link on March 6, 2023, Mandiant was engaged to investigate the data breach, and by March 8 the source of the breach had been identified, and it was immediately shut down; however, files were stolen and some of the compromised information was listed for sale on an online hacking forum. DC Health Link has offered complimentary credit monitoring and identity theft protection services to affected individuals. Mila Kofman, executive director of DC Health Link, said the internal investigation into the data breach is ongoing; however, she was able to share further information about the security incident and data breach and will be discussing the findings of Mandiant’s investigation at today’s hearing.

Last week, the two chairs of the subcommittee, Reps. Nancy Mace (R-South Carolina) and Barry Loudermilk (R-Georgia), issued a joint statement ahead of the hearing. “The breach of D.C. Health link data put thousands of individuals at risk, including Members of Congress, congressional staff, and family members. The individuals who trusted the D.C. health exchange to keep their personal health data secure are rightly concerned about the potential consequences of this breach on their personal lives. They are relying on us to investigate how it took place, how it could have been avoided, how the fallout can be mitigated, and how to prevent a recurrence.”

In a prepared statement submitted ahead of the hearing, Kofman confirmed that 56,415 current and former customers were affected, including members of Congress, their families, and Congressional aides. Two reports were stolen that included the personal data of 17 members of Congress, 43 of their dependents, 585 staffers, and 231 of their dependents. The compromised information included basic personal information, contact information, dates of birth, and Social Security numbers.

The hacker was able to gain access to data due to a security flaw, which Kofman says was introduced due to human error. A cloud server had been misconfigured, which allowed the reports to be accessed without authentication. The misconfiguration of cloud storage buckets is commonplace, with one report from Palo Alto Networks suggesting around two-thirds of exposed cloud servers contain some sensitive data. Kofman apologized for the breach and said DC Health Link rapidly investigated the incident and shut down access. “We are not shying away from this breach. We have been and remain committed to being open and transparent,” said Kofman in her prepared statement.

The post DC Health Link Data Breach Caused by Human Error appeared first on HIPAA Journal.