Privacy is essential in any aspect of our lives, especially regarding health. With the proliferation of online medical services and digitizing medical records, patients expect the same level of protection they get in the office. Unfortunately, a data breach can happen to any site. In May of 2022, WakeMed announced a data breach that compromised the medical information of nearly 500,000 people. Their announcement came after Novant Health and Aurora Advocate Health reported the same problem.
Protected Health Information
Protected Health Information (PHI), broadly, is a patient’s medical history and payment history. The U.S. Health Insurance Portability and Accountability Act (HIPPA) is the most widely known rule protecting PHI. HIPPA cites 18 identifiers that are important to cover, such as names, birth dates, phone numbers, and health insurance identifiers.
The penalty for violating HIPPA is strict. The penalties vary based on an individual’s culpability, from lack of knowledge to willful neglect. In 2021, a 2015 data breach of Excellus Health Plan resulted in settlement of $5.1 million. The suit claimed the company violated HIPPA by failing to address technical issues that led to the PHI exposure of more than 9 million people.
Like the Excellus case, WakeMed’s breach came from the electronic transmission of PHI. Most sites today use text files called “cookies” to store data that a web user inputs in the browser. Cookies can make it easier for returning website users to log in; sometimes, they are necessary for a site’s functionality.
WakeMed utilized a tracking code provided by Meta/Facebook called Meta Pixel. The code gathers user activity with cookies. However, WakeMed discovered that the data collected by Meta Pixel also sends data to Meta/Facebook. This means HIPPA-protected information may have been released without patient consent. This includes any information that a patient entered into their online portal, MyChart. For example, email addresses, phone numbers, IP addresses, and vaccination status.
WakeMed confirmed its use of Meta Pixel from March 2018 until May 2022, which coincides with the surge of online medical services during the pandemic. But they were not the only ones. An article on The Markup states that three other North Carolina hospital systems are involved with the same leak- Novant, Duke, and Atrium.
Data Breaches Under the Law
All 50 states have security breach laws that regulate what constitutes personally identifiable information (PII) and who must comply. Notably, PHI is not only a subset of PII but is also protected under HIPPA. Medical information released in a data breach, therefore, has a variety of consequences attached.
North Carolina Attorney General Josh Stein has demonstrated the state’s willingness to hold companies accountable. Stein settled with Carnival Cruise line for their breach in 2019 totaling $1.25 million, setting the stage for further litigation.
WakeMed Data Breach Representation
Maginnis Howard’s consumer protection attorneys have experience holding large corporations accountable for their actions. Contact our office if you believe your information was unlawfully released in the WakeMed data breach. You can call us at (919) 526-0450 or email us through our contact page. Our intake specialists may ask for documentation to properly assess your potential case. We offer referrals for further legal representation even if our office can’t take on your specific issue.