BayCare Clinic, LLP, is writing to provide transparency concerning the previous use of Internet tracking technologies by one of our partners, Advocate Aurora Health (“Advocate Aurora”), which provides us with access to our electronic medical record system (Epic). Like many others in our industry, Advocate Aurora had previously implemented Internet tracking technologies, such as Google and Meta (Facebook), to understand how patients and others interact with Advocate Aurora-supported websites. These technologies disclose certain details about interactions with such websites, particularly for users that are concurrently logged into their Google or Facebook accounts and have shared their identity and other surfing habits with these companies. When using some Advocate Aurora-supported sites, certain protected health information (“PHI”) would be disclosed in particular circumstances to specific vendors because of pixels on such websites or applications. Due to the nature of the services that Advocate Aurora provides to us, including supporting our access to Epic, the use of Internet tracking technologies by Advocate Aurora may have also resulted in the disclosure of certain PHI. Information about these technologies and steps that individuals may take to further protect their health information can be found below in our FAQs.
In an effort to deliver high quality services to its community, Advocate Aurora uses the services of several third-party vendors to measure and evaluate information concerning the trends and preferences of patients as they use Advocate Aurora-supported websites and applications. To do so, pieces of code known as “pixels” were included on certain of its websites or applications. These pixels or similar technologies were designed to gather information that Advocate Aurora reviews in aggregate to better understand patient needs and preferences.
Advocate Aurora recently notified us that pixels or similar technologies installed on the patient portals to Epic (available through MyChart and LiveWell websites and applications) transmitted certain patient information to the third-party analytics vendors that provided Advocate Aurora with the pixel technology. Advocate Aurora disabled and/or removed the pixels from the platforms and launched an internal investigation to better understand what patient information was transmitted to its vendors. Advocate Aurora notified its patients of this incident via a substitute notice posted on its website on October 14, 2022, which included our patients who have visited an Advocate Aurora location. However, even if you have not visited an Advocate Aurora location, because Advocate Aurora provides us with access to Epic, your information may have been transmitted to Advocate Aurora’s third-party analytics vendors.
Out of an abundance of caution, we have decided to assume that all patients with a MyChart account supported by Advocate Aurora (including users of the LiveWell application) may have been affected, even if such patients had not visited an Advocate Aurora location. Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user.
The following information may have been involved: your IP address; dates, times, and/or locations of scheduled appointments; your proximity to a practice location; information about your provider; type of appointment or procedure; communications between you and others through MyChart, which may have included your first and last name and your medical record number; information about whether you had insurance; and, if you had a proxy MyChart account, your first name and the first name of your proxy. Based on Advocate Aurora’s investigation, no social security number, financial account, credit card, or debit card information was involved in this incident.
We are coordinating with Advocate Aurora to address this issue. Advocate Aurora disabled and/or removed tracking pixels on patient websites and applications and is continuing to evaluate how to further mitigate the risk of unauthorized disclosures of patient protected health information in the future. We will continue to monitor our information security systems and make improvements and enhancements where appropriate. Advocate Aurora has also confirmed that, to the extent any tracking technologies are proposed in the future, such technologies will be evaluated under Advocate Aurora’s enhanced, robust technology vetting process consistent with its commitments to patient privacy.
You can protect yourself from online tracking by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as incognito mode. You can also adjust your privacy settings in Facebook and Google.
These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident. Nevertheless, we always encourage patients to regularly review their financial accounts and report any suspicious, unrecognized or inaccurate activity immediately. You may obtain your free annual copy of your credit report from one or all the national consumer reporting companies by visiting www.annualcreditreport.com, calling toll-free 877-322-8229, or completing the Annual Credit Report Request Form and mailing it to: Annual Credit Report Request Service, P.O. Box 105281, Atlanta, GA 30348-5281. You can print the form from https://consumer.ftc.gov/credit-loans-and-debt/credit-and-debt.
You can further educate yourself regarding identity theft and the steps you can take to protect yourself, by contacting your state Attorney General or the Federal Trade Commission. The Federal Trade Commission can be reached at:
The Federal Trade Commission
600 Pennsylvania Ave. N.W. Washington, D.C. 20580
1-877-ID-THEFT (1-877-438-4338)
TTY: 1-866-653-4261
https://consumer.ftc.gov/features/identity-theft
Should you find accounts that you don’t recall opening, receive inquiries from creditors that you did not initiate on your credit report, or suspect any other identity theft, immediately file a police report with your local law enforcement agency and contact the U.S. Federal Trade Commission, and your financial institution.
You can also report suspicious activity to one of the three national consumer reporting agencies and obtain a 1-year Fraud Alert by calling one of the credit bureau phone numbers or visiting one of the websites below. If you become the victim of identity theft, you also have the right to place a 7-year Fraud Alert on your credit files.
Experian: 1-800-680-7289 or online at https://www.experian.com/fraud/center.html
Equifax: 1-877-478-7625 or online at https://www.equifax.com/personal/credit-report-services/credit-fraud-alerts/
TransUnion: 1-800-680-7289 or online at https://www.transunion.com/fraud-alerts
For additional protection, you can put a security freeze on your credit file. A security freeze is designed to prevent credit, loans and services from being approved in your name without your consent; however, it also will delay your ability to obtain credit. Pursuant to federal law, you cannot be charged to place or lift a credit freeze on your credit report. Should you wish to place a credit freeze, please contact all three major consumer reporting agencies, as listed below.
We apologize for the inconvenience that these technologies may have caused. We understand that you may have questions about how Advocate Aurora used such technologies. If you have additional questions, please call Advocate Aurora’s dedicated assistance line at (866) 884-3206, which will be open Monday - Friday from 7 a.m. - 7 p.m. Central, and Saturday from 9 a.m. - 2 p.m. Central.
We take patient privacy very seriously, employ robust internal controls to protect patient data and are committed to compliance with all laws applicable to our operations.
In an effort to improve care and access of our patients, we have partnered with Advocate Aurora Health (“Advocate Aurora”) to obtain access to our electronic medical records system (Epic). Advocate Aurora, like many others in our industry, uses the services of several third-party vendors to measure and evaluate information concerning the trends and preferences of patients as they use Advocate Aurora-supported websites and applications. To do so, pieces of code known as “pixels” are included on certain of Advocate Aurora’s supported websites or applications.
Advocate Aurora recently notified us that, in certain circumstances, pixels or similar technologies installed on the patient portals available through MyChart and LiveWell websites and applications transmitted certain patient information to third-party analytics vendors that provided Advocate Aurora with the pixel technology, particularly for users concurrently logged into their Facebook or Google accounts. Advocate Aurora disabled and/or removed the pixels from the platforms and launched an internal investigation to better understand what patient information was transmitted to its vendors. Advocate Aurora notified its patients of this incident via a substitute notice posted on its website on October 14, 2022, which included our patients who have visited an Advocate Aurora location. However, even if you have not visited an Advocate Aurora location, because Advocate Aurora provides us with access to our electronic medical record system, your information may have been disclosed.
Out of an abundance of caution, we have decided to assume that all patients with a MyChart account supported by Advocate Aurora (including users of the LiveWell application) may have been affected, even if such patients had not visited an Advocate Aurora location. Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user.
The following information may have been involved: your IP address; dates, times, and/or locations of scheduled appointments; your proximity to a practice location; information about your provider; type of appointment or procedure; communications between you and others through MyChart, which may have included your first and last name and your medical record number; information about whether you had insurance; and, if you had a proxy MyChart account, your first name and
the first name of your proxy. Based on Advocate Aurora’s investigation, no social security number, financial account, credit card, or debit card information was involved in this incident.
We are not aware of any misuse of information arising from this incident. But, as a precaution, you could remain vigilant and take steps to help protect your personal information, such as by ordering your free credit report and placing a fraud alert on your credit file. You should also review statements you receive from any financial institution or other business for signs of suspicious transactions and contact the issuing institution if you see any activity you do not recognize.
We are coordinating with Advocate Aurora to address this issue. Advocate Aurora disabled and/or removed the pixels from the platforms and launched an internal investigation to better understand what patient information was transmitted to its analytics vendors. Advocate Aurora has also confirmed that, to the extent any tracking technologies are proposed in the future, such technologies will be evaluated under Advocate Aurora’s enhanced, robust technology vetting process consistent with its commitments to patient privacy.
We are providing notice about this incident to all of our patients with a MyChart account supported by Advocate Aurora, even if such patients had not visited an Advocate Aurora location.
Even though you may not be an AAH patient or have visited an AAH location, Advocate Aurora provides support services as well as access to an electronic medical record system for a number of medical practices, including your doctor’s practice.
We understand that you may have questions about how Advocate Aurora used such technologies. Advocate Aurora is operating a dedicated assistance line, and you can reach out for additional information to (866) 884-3206, which will be open Monday - Friday from 7 a.m. - 7 p.m. Central, and Saturday from 9 a.m. - 2 p.m. Central.