On March 20, 2023, UC San Diego Health began notifying patients of a data breach that occurred due to the unauthorized use of analytics tools by its technology vendor, Solv Health.
The incident affected patients who used UCSD’s Express Care and Urgent Care scheduling websites between September 13 and December 22, 2022.
It has been reported that Solv Health placed analytics tools on these websites, which captured and transmitted the data to third-party service providers.
What personal patient information may have been disclosed?
According to the UCSD Health Notice, the following patient information may be at risk:
- First and Last Name
- Date of birth
- Email Address
- IP Address
- Third-Party Cookies
- Reason for Visit
- Insurance Type
No information was provided in the Notice about whether any attempts to reclaim disclosed patient data would be undertaken.
What are the “analytics tools” referred to in the UC San Diego Health Notice?
UCSD Health does not currently identify in its notice what unauthorized “analytics tools” were present on its urgent care centers’ webpages, capturing patient personal data. However, typically these analytics tools take the forms of cookies, web beacons, and pixel trackers.
These pieces of code, invisible to patients, are usually designed to provide analytics of user interactions on websites, including page visit duration, the reason for engagement with the site, and the effectiveness of marketing campaigns. These tracking tools often share data with third parties, as was the case with UCSD Health.
In December 2022, UCSD Health directed Solv Health to remove the analytics tools from the affected scheduling websites. It has since transitioned to a new scheduling tool.
The use of online analytics tools and trackers without patient consent can be a violation of HIPAA or the Health Insurance Portability and Accountability Act of 1996. HIPAA is a federal law that protects the privacy of patient health information (PHI).
One of the key provisions of HIPAA is that healthcare providers must obtain patient consent before using or disclosing their health information. Analytics tools and other online tracking devices without patient consent can be a violation of HIPAA because it constitutes the “use” of PHI without the patient’s consent.
Special California Privacy Laws Protect You
California’s privacy laws specifically protect your personal information. Among these laws include:
- The California Invasion of Privacy Act (CIPA) makes it unlawful for businesses to engage in electronic “wiretapping” without consent or by helping other entities intercept electronic communications without consumer consent. The CIPA may entitle consumers to $5,000 or three times their damages, whichever is greater.
- The Confidential Medical Information Act (CMIA) protects confidential health-related information. The CMIA prohibits a health care provider, health care service plan or contractor from disclosing patient information without authorization. The CMIA may entitle consumers to $1,000 without proof of any monetary damages.
Despite the above California laws, you may not be awarded compensation without legal assistance. You may be entitled to up to $5,000, or more, depending on which California laws may have been violated by this conduct.
Participants can recover damages, injunctive relief (to make sure the business has reasonable security practices to protect consumer data), and anything else necessary to compensate victims and prevent these harms from occurring again.
Class action attorneys experienced in unauthorized data access claims can help you exercise your rights, evaluate your options and decide whether you are entitled to compensation.
You Have Important Legal Rights Under California’s CCPA
The CCPA also provides consumers with other important rights. These include:
- The right to see a copy of the personal data a business has collected about you for free.
- The right to discover why a business has collected your personal information, what it has shared (by category), who it was collected from (by source type), and who it has shared your data with (by category).
Your Rights Under California Law
If you have received a notice from UC San Diego Health regarding this data breach or have used UCSD Health’s scheduling website between September 13 and December 22, 2022, to book an appointment for in-person or video visits at its Express Care or Urgent Care locations, your personal information may have been sold to third parties without your informed authorization or consent.