Monument alcohol recovery startup NYC logo
*
(image source: Monument (Verywellmind), n.d.)
One-sentence summary:
Monument, an NYC-based alcohol recovery startup, potentially breached the protected health information of over 108,000 individuals over 3 years (and an additional 3 years retroactively via Tempest) via advertising pixels.
Who was involved?
Monument, Inc., its subsidiary Tempest, and 108,584 individuals.
What was the timeline?
November 2017: Breach starts with Tempest members
January 2020: Breach starts with Monument members
December 1, 2022: HHS publishes a privacy guidance bulletin regarding advertising, including advertising pixels (HHS, 2022). Monument claims to receive notice around this time and begins an internal investigation as well as the cessation of such advertising methods.
February 6, 2023: Monument determines it has breached PHI via advertising
February 23, 2023: Monument confirms it has removed all offending advertising services from service.
March 31, 2023: Monument reports the breach to HHS and presumably begins public notification
What occurred?
Monument, an alcohol recovery startup, used advertising pixels along with its subsidiary (Tempest) since 2020 and 2017, respectively, unknowingly breaching the protected health information of over 108,584 individuals, which may have included: “name, date of birth, email address, telephone number, address, Monument ID, insurance member ID, IP address, unique digital ID, Uniform Resource Locator (URL), photograph, selected services or plan, assessment or survey responses, appointment-related information, and associated health information” (Monument, 2023; HHS, 2023). Monument claims to have received warning from HHS’s bulletin back in December 2022 covering advertising pixels, thus initiating their investigation (Monument, 2023; HHS, 2022).
Estimated costs:
Associated incident response costs, breach notification costs, potential identity monitoring services, M-F call center
Involved laws:
Federal: HIPAA and HITECH
California: CCPA and Cal. Civ. Code § 1798.29(a)
Root cause:
Voluntary business practices and/or misconfiguration: advertising technologies.
Lessons learned:
Theoretically, in-house and independent risk and GRC assessments on advertising practices may allow an organization to preemptively respond to or prevent breaches, even before specific regulatory clarification occurs (e.g., HHS guidance publications). Thorough compliance audits and privacy assessments. Another paradigm: assessing risk with established data flows in the enterprise (advertising is an outbound data flow and, therefore, a potential privacy risk). Breaches continue to occur at major corporations due to voluntary misconfiguration and, therefore, necessitate the need for regular, rigorous auditing.
Sources:
HHS. (2022). Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates. In U.S. Department of Health & Human Services. Office for Civil Rights (OCR). Retrieved April 18, 2023, from https://www.hhs.gov/hipaa/for-professionals/privacy/guidance/hipaa-online-tracking/index.html
HHS. (2023). Cases Currently Under Investigation. In Breach Portal: Notice to the Secretary of HHS Breach of Unsecured Protected Health Information. U.S. Department of Health and Human Services Office for Civil Rights. Retrieved April 18, 2023, from https://ocrportal.hhs.gov/ocr/breach/breach_report.jsf
Monument. (2023). Monument – Sample Notification Letter 4888-3653-0266 v.2.pdf. In Submitted Breach Notification Sample (AI4831 v.01). Rob Bonta California Attorney General. Retrieved April 18, 2023, from https://oag.ca.gov/ecrime/databreach/reports/sb24-564977
Monument (Verywellmind). (n.d.). Monument-Recirc-aa8c55b799424c8193f9bbc8b5e4a57c.jpg. Verywellmind. https://www.verywellmind.com/thmb/wysdvUsebhoseRDDmYBgEkYFsD0=/1500×0/filters:no_upscale():max_bytes(150000):strip_icc()/Monument-Recirc-aa8c55b799424c8193f9bbc8b5e4a57c.jpg
Commentary:
This breach report mimics another healthcare startup breach previously covered, Cerebral, and may foreshadow an increasing number of healthcare breach reports due to more specific HHS guidance.
