Community Health Network in Indiana has become the latest healthcare entity to notify patients that their protected health information was transmitted via trackers on their website from Google and Meta. Their FAQ page attempts to explain it in basic English and does a good job, but there’s no getting around this:
Any individual who visited the Community MyChart patient portal or scheduled an appointment on the eCommunity.com website since the date we began using these third-party tracking technologies (April 6, 2017), may have been involved. However, because the type of information transmitted through the tracking technologies varied depending on the configurations on the user’s device and the user’s activity on the Community website and MyChart patient portal, Community cannot determine with certainty whose information was transmitted. For example, if an individual adjusted the settings on their device to block or delete cookies, or if they use only browsers that support privacy-protecting operations, their information likely was not involved, even if they accessed MyChart or the eCommunity.com website during the time in question.
And while there is no guarantee any one individual had any or all of the following fields involved, they might have if they didn’t block cookies in their browser and depending on what they interacted with on the site:
- User’s IP address
- Dates, times, and/or locations of scheduled appointments
- Information about the patient’s provider
- Type of appointment or procedure scheduled
- Communications between the user and others through MyChart
- First name and last name
- Medical record number
- Email address
- Phone number
- Contact information entered into Emergency Contacts or Advanced Care Planning
- Information about whether the patient had insurance
- Proxy name and contact information
- Website button/menu selections
You can read their full notice on their website.
The incident was reported to HHS as affecting 1.5 million patients.
By now, millions of patients have been notified. At some point, we will ask questions like, “Why wasn’t this discovered sooner? (It was). Why didn’t these entities know what was being sent out of their system? Why didn’t Google and Meta inform the entities more about what was involved and how it worked?”
Will all data be deleted? I would hope so, especially since abortion clinic trackers could put patients at risk of criminal prosecution in some parts of the country. In the meantime, the number of notifications and lawsuits mounts.