It’s common in health care to use third-party software, but exposing information prompts a warning from HHS’ cybersecurity agency.
It’s nice to know patient information is secure when patients visit websites of physicians and other health care providers.
But that’s not always happening when third-party software providers track health information and personal data about the people using websites and apps of doctors, hospitals, and health systems.
The warning came in the latest report published this month by the Health Sector Cybersecurity Coordination Center (HC3), within the U.S. Department of Health and Human Services. HC3 also published a sector alert on an emerging threat to software used in the health care and public health sectors.
Use of third-party providers is common in health care, including for health-related mobile applications. “Website owners use the data gathered by web analytics providers to learn how to best engage with their customers,” the bulletin said.
Common software includes programs from Adobe Analytics, Clicky, Google Analytics, Hotjar, Kissmetrics, and Mixpanel, according to HC3.
But analyzing web user data “can expose personally identifiable information (PII) and protected health information (PHI) without user knowledge or consent,” the bulletin said. There already have been millions of improper disclosures of patient records, prompting the HC3 bulletin.
The agency did not refer specifically to one case that made national news last year when a news report claimed Facebook parent company Meta wrongly tracked patient information. A federal lawsuit followed claiming that happened on at least 664 hospital systems or medical provider websites. Since then class action lawsuits have been filed around the nation alleging similar claims against various health systems, according to news reports.
HC3 recommended the following actions to safeguard patient information:
HC3 this week published a sector alert on hackers attacking Veeam Backup & Replication (VBR) software. It is used to back up, replicate, and restore data on virtual machines.
It also is used to protect and restore files and applications in Microsoft Exchange and SharePoint, which are used in health care programs, and in Oracle and Microsoft SQL databases.
HC3 recommended upgrading earlier VBR software and other security patches.
The threat emerged in March 2023, when researchers identified hacker attacks carried out by FIN7, a financially motivated hacking group. First discovered in the mid-2010s, the U.S. Department of Justice has targeted FIN7 for massive computer breaches involving nationally known restaurants and retailers. By 2018, a Wired magazine report claimed FIN7 had set up a front company known as Combi Security to pilfer more than $1 billion from companies around the world.
At least three high-level organizers of FIN7 have been arrested, extradited to the United States, and sentenced to prison for their roles in the cybercrimes, according to the U.S. Department of Justice.