UC San Diego Health Announces Impermissible Disclosure of Patient Data Due to Website Analytics Code
University of California (UC) San Diego Health is the latest healthcare organization to start notifying patients that some of their protected health information has been impermissibly disclosed to third parties due to the use of website tracking technologies. UC San Diego Health said the analytics code was added to its scheduling websites by one of its business associates, Solv Health, without authorization from UC San Diego Health. UC San Diego Health contracted with Solv Health to provide website hosting and management services.
The analytics code captured limited data of visitors to the scheduling websites who booked in-person or telehealth appointments. The captured information was then impermissibly disclosed to the third parties that provided the code. UC San Diego Health did not state in its breach notifications who the third parties were but said they received first and last names, birth dates, email addresses, IP addresses, third-party cookies, reasons for the appointments, and insurance type (e.g., PPO, HMO, Other).
UC San Diego Health confirmed that Social Security numbers, medical record numbers, financial account numbers, and debit and credit card information were not disclosed and the analytics code was not used on its electronic health record or MyUCSDChart systems, so no information within those systems was disclosed. UC San Diego Health said notification letters started to be mailed to affected individuals on March 20, 2023. Those individuals had used the scheduling websites for its Express Care (La Jolla) or Urgent Care locations (Downtown San Diego, Encinitas, Eastlake/Chula Vista, Pacific Highlands Ranch, & Rancho Bernardo).
When the analytics code was discovered in December 2022, UC San Diego Health directed Solv Health to immediately remove the code from the scheduling websites and worked with Solv Health to determine who had been affected. UC San Diego Health is now using a new online scheduling tool and has enhanced its vendor assessment and management procedures.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
The incident was reported to the HHS’ Office for Civil Rights as affecting 23,000 individuals.