Background on Google Analytics Data Privacy Incident and Frequently Asked Questions

Background on security incident

Allina Health uses Google Analytics to enhance the AllinaHealth.org experience for our patients, visitors and community members. In recent months, several health care systems have learned that tools used by internet tracking technology vendors may inadvertently capture private health information. Allina Health proactively reached out to an outside consulting firm to do a forensic analysis of Allina Health’s use of tracking tools.

In late February 2023, the firm determined that tracking pixels were sending some protected information to Google Analytics. Allina Health’s internal teams have been working diligently with our outside partner to identify affected patients.

A limited number of patients had pieces of information captured by Google Analytics. This was not a cybersecurity attack, and Allina Health has no evidence that Google used this data for any purpose other than providing analytic services to Allina Health.

Allina Health is committed to patient privacy and understands that these types of events can cause concern. We are deeply sorry for any concern or inconvenience that this incident causes anyone.

Frequently Asked Questions

Did all of my health data go to Google?

No, only select information was sent to Google.

The information may have included:

  • Name
  • Date of birth
  • Internet Protocol (IP) address
  • Limited clinical Information which may have included:
    • Symptoms/Diagnosis/Treatment Information
    • Medications
    • Lab and imaging results
  • Insurance card numbers (few instances)

This information DID NOT include:

  • Social security numbers
  • Credit card numbers
  • Banking information

Was my information involved and how will I know?

We have sent communication to individuals whose information may have been involved.

What are pixels?

They help gather the trends and preferences of web site users to improve the user experience.

What measures have been taken to prevent this from happening again?

Allina Health has removed the code that was capturing private health information and has implemented internal processes to prevent it from being added in the future.

Have affected patients been notified?

Allina Health has notified those impacted by this incident. In addition, there is a link to the notice on AllinaHealth.org which will be in place for the next 90 days and a news release was sent out to relevant media outlets.

Can Google sell my data? 

Google’s Terms and Conditions do not allow them to re-sell or publish any of the data that was inadvertently sent to them. 

If my information went to Google, does that mean it will show up if somebody searches my name using their search engine? 

Google’s Terms and Conditions do not allow them to re-sell or publish any of the data that was inadvertently sent to them. 

Can somebody use the information to steal my identity? 

Google’s Terms and Conditions do not allow them to re-sell or publish any of the data that was inadvertently sent to them. The data was not stolen like other data breaches that get reported. 

Did my credit card information get shared with Google? 

Credit card information was not shared. 

Is the data going to be deleted from Google? 

We are working with Google to purge the data.  

Was my Allina Health account password part of this?

No passwords were part of the data sent to Google.

Who can I contact if I have more questions?

Those with questions may call Allina Health at 866-979-1541, Monday-Friday from 8 a.m. – 6 p.m. CST, beginning Monday, May 1, 2023. 

I want to file a complaint; where can I do this? 

You may file a complaint with the Allina Health Privacy Office by writing to the following address:

Allina Health Privacy Office
Mail Route 10839
P.O. Box 43
Minneapolis, MN 55440-0043

In addition, the federal Office for Civil Rights has been notified of this situation. 

If you would like to submit an additional complaint to the Office for Civil Rights you can submit your complaint:

  • on their website
  • by email: OCRComplaint@hhs.gov,
  • by mail:
    Centralized Case Management Operations
    U.S. Department of Health and Human Services
    200 Independence Avenue, S.W.
    Room 509F HHH Bldg.
    Washington, D.C. 20201

Allina Health is committed to patient privacy and understands that these types of events can cause concern. We are deeply sorry for any concern or inconvenience that this incident causes anyone. While we do not believe this incident puts patients at risk for identity or financial theft, out of an abundance of caution, we are offering a complimentary two-year membership of TransUnion credit monitoring/identity protection services. We also encourage everyone to continue practicing the usual caution around suspicious communication and promptly report any suspected identity theft or other suspicious activity to the proper law enforcement authorities.