A civil suit purporting privacy violations, filed in the U.S. Northern District of California, provides a cautionary tale about the value and ramifications of knowing how your organization shares data with others.
On July 25, 2022, a civil complaint was filed in the US Northern District of California Court against a social media giant and two medical care providers. The complaint alleges data privacy violations leading to the use of personal health information and personally identifiable information to target advertising to the plaintiff.
In the complaint, the plaintiff (Jane Doe for privacy) alleged that after having used a patient portal to access her medical providers’ websites via their “My Chart” and “My Portal” online websites, her personal health information (PHI) was illegally collected by her providers and Meta (formerly Facebook). The data was collected without her consent by a code snippet called “Pixel,” which gathers information from websites related to a visitor’s page visits, actions, and views.
Jane then alleges that the information collected was further used to target her specific medical problems and treatments with catered advertising. She claims these ads were posted to her social media accounts and her personal email address in the complaint.
Note: For specifics on the suit, see: Complaint
Rather than digging into the case, let’s examine what happened, why, and how that might affect you as a medical provider.
What happened?
It appears that at least two medical providers allowed the insertion of a snippet of tracking code onto their website(s), which collects data from the site and site visitors, and sends it to a data repository at the code provider’s location. The data is then connected to other data about the site visitors, where available, and is used to create advertising campaigns both for the code provider and the medical providers.
Advertising campaigns are how businesses create revenue, so this is not a new idea, just a new(er) way of accomplishing the goal of sales. It must be pretty effective if you just look at the number of companies that gather and sell data worldwide and how much they make yearly. You can also see it in how the Dark Web is rife with stolen data and data access on the Internet. Billions, if not trillions, of dollars are spent each year just to sell us something.
This is not an uncommon practice in many ways!
Virtually every business with a web presence, and most that don’t, collects data from visitors and clients to build out their advertising and better understand their client’s needs and wants. It helps the business spend its advertising money wisely by sharpening the focus of topic content and reducing the loss of resources chasing those customers that are less likely to come in or return after an initial visit.
It is typical for the client never to see the data collection or any hint. They go about their business daily, knowing subconsciously that it is happening, but most either do not care or become numb. Everyone does it, so why worry? Right?
However, just because your clients aren’t paying attention doesn’t mean you don’t have to.
As a medical provider or business associate to medical providers, you should protect your patients and their personal health information.
How will this Affect You?
This type of situation, with a big-data gatherer and medical providers, in this case, isn’t going to make your patients feel safe or protected by you. They will likely (rightfully) question how you gather data, what you gather, how you use it, and who you share it with. This is a GOOD thing to have them do, as it provides you the opportunity to assure them of their protection with your offices and business associates. You can give them the knowledge that you value them and their financial and health security.
When you show them that you take care to select what you gather and how it is used, you also give them the sense that this isn’t the only place that you respect and guard for them all that they are and hold dear. You are their protector.
Conscientiousness in this also reduces the risks related to potential suits such as the one in California. Furthermore, it will reduce your overall cybersecurity risk because you simply have planned for another possible threat.
What should you do?
If you are a medical provider or business associate, you handle sensitive and private information daily. You need that information to ensure your patients receive the best medical advice and treatments, which means you must protect that data.
Here are some thoughts on what you can do to protect yourself and your patients:
- Engage with your IT and cybersecurity teams or service providers to know exactly what is being taken in as necessary data from your patients. (HIPAA requirement)
- Make the distinction between protected and helpful information, then protect both as needed.
- Never allow yourself or your employees to make decisions about the data you are responsible for without getting the full rundown on how it is collected and stored and who gets to use it.
- Retain a legal representative that knows and understands local, state, and federal laws and regulations pertaining to information security in your organization.
- Notify your patients and visitors of their rights and allow them to decide what they will share with you and through you, your business associates, or service providers. (HIPAA requirement)
Ultimately, it is up to you to take the time and make an effort to secure the data you use. Your business will either profit from your care or pay the price for lack of respect and diligence.
Northstarr Recommendations
With decades of professional and personal experience in cybersecurity and information technology, the team at Northstarr System Solutions is capable of providing your organization (or you personally) with the skill set required to protect your client information at the highest possible level while also ensuring you have access to what you need to do your work. From helping you to create the appropriate policies at the highest levels to monitoring any implemented hardware and software, we are here for you!To find out more about how we can help, visit our website or give us a call at (888) 767-2210 to set up an appointment. We look forward to meeting with you!