The healthcare data breach at UCHealth stemmed from a third-party vendor, and the UCLA Health breach was tied to the organization’s use of analytics tools.

January 27, 2023 - UCHealth and UCLA Health were the latest entities to report recent healthcare data breaches, both tied to third-party vendors. 

UCHealth in Aurora, Colorado reported a third-party data breach to HHS that impacted 48,879 individuals. According to its notice to patients, UCHealth was recently informed by software company Diligent that some patient, provider, and employee data may have been involved in a security incident.

“Diligent provides hosted services to UCHealth and reported to UCHealth that Diligent’s software was accessed and attachments were downloaded including UCHealth files,” the notice stated.

“Importantly, UCHealth’s systems, including its email and electronic medical record, were not impacted by this incident.”

The information potentially downloaded by the cybercriminal may have included names, addresses, treatment-related information, and dates of birth, as well as Social Security numbers and financial information in some cases.

UCHealth said it had “no reason to believe the data taken from Diligent’s system went beyond the cybercriminal or was misused in any way” but encouraged impacted individuals to watch for suspicious activity.

UCLA Health did not mention Meta specifically, but noted that the use of analytics tools on an appointment request form completed on its website or mobile app may have “captured and transmitted to our third-party service providers certain limited information.”

The health system began using analytics tools on its public website and mobile app in April 2020 with the goal of understanding how its community interacted with them.

“Analytics tools allow organizations to review website and app activity in the aggregate to develop more effective and efficient communication,” the organization stated.

“When in June 2022 UCLA Health learned of concerns relating to the use of these analytics tools by health-care providers, we disabled them.”

The appointment request forms containing analytics tools potentially captured information on third-party cookies, provider names and specialties, and hashed value form fields that included names, email addresses, phone numbers, mailing addresses, and gender.

“It is important to note that these analytics tools never captured Social Security numbers, financial account numbers, or debit/credit card information,” the notice continued.

“Moreover, Appointment Request Forms that were impacted were only present on the UCLA Health website and the UCLA Health mobile app. UCLA Health did not place these analytics tools within myUCLAhealth, the online patient portal.”