New York-based online alcohol treatment service Monument Inc. has disclosed a data breach affecting around 109,000 clients, which occurred when third-party tracking tools on its website were used without appropriate authorization or consent. Monument’s internal review found that the activity started in January 2020, and in November 2017 for members of Tempest, a counseling service acquired last year.
The breach exposed names, birthdates, email addresses, telephone numbers, addresses, insurance member IDs, IP addresses, photographs, assessment or survey responses, appointment-related information, and associated health information.
Similar incidents have been reported by other organizations, including online mental health services provider Cerebral, which recently revealed a breach affecting almost 3.2 million individuals.
Monument says it has now ended its relationship with third-party advertisers that refuse to comply with its contractual requirements and applicable law. The company has also committed to only sharing information in a manner that complies with HIPAA and other applicable laws.
Following guidance issued by federal regulators in December 2022 regarding privacy concerns involving the use of tracking technologies, Monument conducted the review of its practices. The company’s CEO, Michael Russell, stated that safeguarding patients’ privacy is a top priority, and that the firm will continue to adopt appropriate measures to keep data safe.
Privacy attorney Cory Brennan has stated that healthcare entities need to review any marketing technologies implemented on their websites following the recent rash of web tracking breaches. If any component of a regulated entity’s website is established to entice or procure individual interaction or engagement, the organization should determine exactly what information is collected and transmitted through third-party tracking technologies as soon as possible.
“All electronic protected health information created, received, maintained, or transmitted by a covered entity is subject to the HIPAA Security Rule,” Brennan said. “If an entity regulated by HIPAA is not including its web environment and the technologies used within that environment in the scope of its standard HIPAA compliance practices, this is a huge gap and will continue to create risks for the organization.”
