How a simple website configuration oversight caused one of the largest HIPAA breaches in history

How a simple website configuration oversight caused one of the largest HIPAA breaches in history

In March of 2023, Cerebral, a telehealth platform that offers online therapy and medication management services, has officially notified the U.S. Department of Health and Human Services (HHS) of a healthcare data breach. The breach has affected over 3.1 million individuals who utilize Cerebral’s services for their mental healthcare needs.

Cerebral utilizes a website platform for users to log on and access their services. The website platform utilized tracking technologies provided by third parties such as Google, Meta, and TikTok.

The use of website tracing technology is a common practice. Their role is to gather and analyze user data and interactions with a website, enabling businesses and organizations to better understand user behavior, preferences, and patterns. This information is invaluable for enhancing user experience, optimizing website design, and refining marketing strategies.

However, it’s important to note that such practices have been known to result in data breaches and, in some cases, even result in violations of regulations like HIPAA and GDPR depending on the type of data that is being collected and tracked using these technologies.

As per Cerebral’s notice to HHS, the data breach involved the unauthorized disclosure of various protected data sets depending on how a user interacted with Cerebra’s platform. 

“If an individual created a Cerebral account, the information disclosed may have included name, phone number, email address, date of birth, IP address, Cerebral client ID number, and other demographic or information,” the notice indicated.

“If, in addition to creating a Cerebral account, an individual also completed any portion of Cerebral’s online mental health self-assessment, the information disclosed may also have included the service the individual selected, assessment responses, and certain associated health information.”

In cases where users signed up for a subscription plan additional information such as insurance co-pay amounts, subscription type, booking details, treatment particulars, and health insurance information might have been exposed.

To keep compliance with HIPAA, CCPA, GDPR, and other privacy compliance mandates, it is important to understand how these website tracking technologies work, what kind of information is being collected from website visitors, where that information is stored, and who has access to it.

Moreover, the use of website tracking must be placed in a context that is relevant to your practice and business. To comply with the website tracking legal requirements, you must first determine:

  • Which data protection laws apply to your business,
  • Which requirements are set forth in those laws, and
  • What solutions can be employed to meet those requirements?

Communication and effective collaboration with web developers is key. They are subject matter experts on web development and website tracking technologies and how they work but they may not understand the legal requirements related to PII that is relevant to your practice or business. While you may have an existing BAA with a web developer, the ultimate responsibility of protecting patient data lies solely with the provider.

Conducting a data privacy audit on your website is also important. Such audits involve assessing the utilization of first-party cookies, third-party cookies, and third-party requests within your website. This assessment aims to validate whether the website gathers and distributes data in alignment with privacy regulations.

Auditing your website’s data tracking trends to align with HIPAA, CCPA, and GDPR is not just a legal obligation, but a strategic move towards building trust and safeguarding user privacy. By conducting regular website audits, you ensure that your data-tracking practices are transparent, accountable, and in full compliance with laws and regulations. Auditing helps identify any potential gaps in data protection, rectify them promptly, and mitigate the risk of hefty fines. Moreover, demonstrating a commitment to compliance can enhance your reputation, foster user confidence, and solidify patient and customer relationships. Ultimately, auditing your website’s data-tracking practices reflects a commitment to ethical data handling, ensuring that your business operates ethically in the digital landscape while maintaining the rights and privacy of your patients.

About the author

Katalin Van Over is a patient data privacy and security professional who for the past 15 years, has designed and managed HIPAA compliance programs at various healthcare settings including inpatient and outpatient facilities, small practices, and in the biotech industry.

Katalin is also the co-owner of ProLogic IT a Healthcare IT company that manages computer systems for small and medium-size practices across the country. ProLogic IT offers HIPAA compliance services that support small healthcare practices. ProLogic IT offers complimentary HIPAA audit review services, to help providers identify compliance gaps and data risks. ProLogic IT also offers easy and affordable solutions to mitigate compliance gaps to help comply with State and Federal mandates that also preserve the integrity and the continued safe operations of a practice.

Questions? Contact us today!

You cannot copy content of this page