This data breach is one of most cringeworthy ever. One of the most sensitive and private health concerns people struggle with is alcohol addiction. What were the companies’ founders thinking when they set up online treatment programs? Why wasn’t patient privacy a higher priority?
Over 100,000 individuals seeking treatment for alcohol addiction with online healthcare companies Monument and Tempest recently learned their private data was shared with big tech companies for years.
Monument, which acquired Tempest in 2022, confirmed the multi-years’ leak of private sensitive patient information in a data breach notification filed with California’s attorney general three weeks ago. Monument explained that the breach was caused by third-party pixel tracking systems developed by large advertisers including Facebook, Google, Microsoft and Pinterest. Articles by TechCrunch and The Verge covered the Monument breach shortly after the breach notification appeared on the California AG site.
Monument in its Frequently Asked Questions explains on its website:
Pixel Tracking Privacy Problems in the News
This breach is similar to a handful of recent healthcare pixel tracking breaches – four were reported this year and four last year. One of the larger ones happened at Cerebral Inc., a mental health service provider, affecting over 3 million patients.
Earlier this year, the Federal Trade Commission (FTC) settled a privacy breach investigation with GoodRx, an investigation stemming from pixel tracking. GoodRx is not a “covered entity” under HIPAA, so HIPAA doesn’t apply. But the FTC enforces its own Health Breach Notification rule that applies to all companies handling health information.
As explained by The Verge:
“Pixel trackers are the snippets of code created by companies like Meta, Google, TikTok, and Pinterest that often get embedded into ads, websites, or emails. They track information about what a user clicks or the forms they fill out, which then gets used by both parties to create tailored ads or better understand their user bases.”
The patient information that Monument and Tempest shared with advertisers included names, birthdates, addresses, insurance information, and survey responses. It also included the person’s photo, unique digital ID, which services or plan the patient is using, appointment information and assessment and survey responses submitted by the patient, which includes detailed responses about a person’s alcohol consumption and used to determine their course of treatment.
As of today, Monument’s privacy policy posted on its website predates this breach disclosure, since it was last modified August 3, 2020. The policy is likely undergoing change, since Monument says it no longer allows advertisers to use the tracking code on its websites.
Broken Trust, HIPAA Problems, and Lawsuits
Every breach reported by a HIPAA covered entity is a HIPAA matter, and OCR will investigate, but an internet search with the name of the breach also reveals plaintiff attorney websites advertising for clients to join the next class action lawsuit. The lawsuits are not brought under HIPAA, but typically allege violation of state privacy laws, consumer protection laws, and breach of contract.
Google and Meta are defending class action lawsuits involving privacy breaches caused by pixel tracking tools. Although healthcare organizations are beginning to get the message and stop pixel trackers, the number of breaches and the numbers of patients affected is probably exponentially higher than what’s been disclosed so far because pixel tracking has permeated nearly every website in use today.