Monument, Inc.
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
Monument, Inc., a New York-based online alcohol addiction and treatment service provider, experienced a significant data breach that has affected an estimated 109,000 individuals. This breach was primarily due to the impermissible disclosure of personal and protected health information through the use of tracking code on its websites. The internal review, prompted by guidance from the HHS’ Office for Civil Rights regarding pixels and other tracking tools, concluded that these tools potentially transferred identifiable protected health information to third parties without proper consent or business associate agreements. The tracking tools, provided by major tech companies like Google, Facebook (Meta), Pinterest, and Bing, were present on Monument’s websites from January 2020 and on the websites of Tempest, a company acquired by Monument in May 2022, since November 2017. The types of information disclosed varied but could include names, birth dates, telephone numbers, email addresses, insurance member IDs, and more, depending on the individual’s interaction with the websites.
Monument Inc. has taken steps to address the breach by disconnecting its websites from the tracking tools on February 23, 2023, and terminating third-party advertising relationships with the providers of these tools. The company has also committed to only using third-party vendors that meet HIPAA requirements and other privacy laws moving forward. Despite these measures, the breach has led to a class action investigation and concerns over the privacy and security of patient information