DaVita recently discovered that tracking tools on its website and mobile app may have transmitted user information to third-party providers. On July 2, 2024, the kidney dialysis service provider, based in Denver, Colorado, informed 67,443 patients about a data breach linked to these tracking pixels. The issue was identified on June 17, 2024, when it was revealed that these pixels were installed on DaVita’s Care Connect mobile app and website health portal.
The breach involved a variety of data depending on individual user interactions with DaVita’s platforms. Exposed information potentially included usernames, third-party cookies, work status, patient classifications, and data on web usage and app activity. Some users may have had their demographic details and laboratory test names accessed, though test results were not included. The breach could associate this data with users via IP addresses and third-party identifiers if they were logged into accounts like Facebook or Google.
DaVita has since removed all non-compliant third-party tracking codes and implemented new privacy guidelines and procedures. The company has also provided additional HIPAA training to its employees to prevent future breaches. As of now, DaVita has not detected any misuse of the exposed data that could lead to financial or similar issues for the affected individuals.
The company remains vigilant in monitoring for any potential impacts from this breach and continues to work on enhancing its data security measures to protect patient information.