UCLA Health Data Notice

January 13, 2023

To the UCLA Health community:

UCLA Health strives to put our patients first, and patient confidentiality is a critical part of our commitment to care. UCLA Health recently learned of an issue relating to the use of analytics tools on the UCLA Health website and mobile app. Specifically, UCLA Health’s analytics tools on an appointment request form completed on the UCLA Health website or the UCLA Health mobile app (“Appointment Request Form”) may have captured and transmitted to our third-party service providers certain limited information from the Appointment Request Form.

In April 2020, UCLA Health began using analytics tools from third-party service providers on our public website, UCLAHealth.org, and a related mobile app to understand how our community interacted with them. Analytics tools allow organizations to review website and app activity in the aggregate to develop more effective and efficient communication. When in June 2022 UCLA Health learned of concerns relating to the use of these analytics tools by health-care providers, we disabled them. Additionally, UCLA Health initiated a review, supported by a third-party forensic firm, to complete a comprehensive analysis of the use of these analytics tools on its website and mobile apps, evaluate what data these analytics tools collected, and determine to whom the data belonged.

UCLA Health is providing notice to individuals whose data may have been captured on an Appointment Request Form. On January 13, 2023, UCLA mailed notices to those for whom it had addresses. For these individuals, the analytics tools may have captured the following information: URL/website address (which could include provider name, specialty, or ad campaign name), page view, IP address, third-party cookies, and hashed values of certain fields on an Appointment Request Form. The hashed value form fields may have included first and last name, email address, mailing address, phone number, and gender. Hashed values are generated by applying a one-way mathematical algorithm to convert the data into a string of numbers and letters.

It is important to note that these analytics tools never captured Social Security numbers, financial account numbers, or debit/credit card information. Moreover, Appointment Request Forms that were impacted were only present on the UCLA Health website and the UCLA Health mobile app. UCLA Health did not place these analytics tools within myUCLAhealth, the online patient portal.

UCLA Health has established a dedicated call center to answer questions. Community members who receive a notice and would like more information or who believe their personal health information may have been impacted may call the call center at 1-800-454-3581 Monday through Friday from 6 a.m. to 8 p.m. PT, and Saturday and Sunday from 8 a.m. to 5 p.m. PT. Please be prepared to reference engagement number B083805 when speaking with an agent.

Our patients always come first. We have enhanced our technology evaluation procedures and take our responsibility to protect personal information entrusted to us very seriously.

General questions about what happened and what we are doing

In April 2020, UCLA Health began using analytics tools from third-party service providers on our public website, UCLAHealth.org, and a related mobile app. We used these analytics tools to assist us in understanding how our community interacted with them. These analytics tools may have captured and transmitted to our third-party service providers certain limited information from an appointment request form completed on the UCLA Health website or the UCLA Health mobile app.

UCLA Health learned of concerns in June 2022 relating to the use of these analytics tools by health-care providers, and we disabled them. UCLA Health then initiated a review, supported by a third-party forensic firm, to complete a comprehensive analysis of the use of these analytics tools on our website and mobile apps and evaluate what data these analytics tools collected.

UCLA Health’s investigation showed that the analytics tools may have captured the following information: URL/website address (which could include provider name, specialty, or ad campaign name), page views, IP address (which is a unique string of characters that identifies a computer or device on a network that is used for communication over the internet), third-party cookies (which are created and used by third-party service providers for analytics), and hashed values of certain fields from appointment request forms. The hashed value form fields may have included first and last name, email address, mailing address, phone number, and gender. Hashed values are generated by applying a one-way mathematical algorithm to convert the data into a string of numbers and digits.

It is important to note that these analytics tools never captured Social Security numbers, financial account numbers, or debit/credit card information. Moreover, appointment request forms that were impacted were only present on the UCLA Health website and the UCLA Health mobile app. UCLA Health did not place these analytics tools within myUCLAhealth, the online patient portal.

The analytics tools were enabled on the UCLA Health website and UCLA Health app between April 2020 and June 2022.

UCLA Health learned of general concerns regarding the use of analytics tools on health-care websites in June 2022. We promptly took steps to disable the tools on our website. Additionally, UCLA Health initiated a review, supported by a third-party forensic firm, to complete a comprehensive analysis of the use of these analytics tools on our website and mobile apps, evaluate what data these analytics tools collected, and determine to whom the data belonged.

To gain a comprehensive and complete understanding of the use of these analytics tools on the UCLA Health website and UCLA Health mobile app, a leading forensic firm was engaged to evaluate what data these analytics tools collected and determine to whom the data belonged. This work was conducted deliberately and methodically to be able to provide accurate information and deliver notices to each member of the UCLA Health community whose personal information may have been collected via an appointment request form.

UCLA Health learned of concerns in June 2022 relating to the use of these analytics tools by health-care providers, and we disabled them. We initiated a review and comprehensive analysis of the use of these analytics tools on our website and mobile apps, supported by a third-party forensic firm, and have enhanced our technology evaluation procedures. UCLA Health has notified the UCLA Health community and provided notices to each member of the UCLA Health community whose personal information may have been collected via an appointment request form.

UCLA Health used analytics tools to better understand community interaction with our website, create a better user experience for visitors, and improve our communication with the community. UCLA Health received information from the analytics tools on an aggregate and anonymized basis.

UCLA Health will send notices to individuals whose data may have been captured on its appointment request form on the website or mobile app.

It could mean that your information was not observed to be included on an appointment request form on the UCLA Health website or mobile app. Alternatively, it could mean that we did not have contact information for you or that your notice is currently in transit.

If you would like more information, you may call the call center at 1-800-454-3581 Monday through Friday from 6 a.m. to 8 p.m. PT, and Saturday and Sunday from 8 a.m. to 5 p.m. PT. Please be prepared to reference engagement number B083805 when speaking with an agent. If you would like more information about whether your data may have been included on an appointment request form, a call center representative can collect your information and you will receive a follow-up call.

No. We have no evidence to suggest any financial information was collected by the analytics tools and the analytics tools only shared information with third-party service providers. Therefore, credit monitoring is not being offered.

You can limit the use of analytics tools by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as incognito mode.

It is always a good idea to remain alert to threats of identity theft or fraud. You can do this by regularly reviewing and monitoring your financial statements, credit reports, and Explanations of Benefits (EOBs) from your health insurers for any unauthorized activity. If you ever suspect that you are the victim of identity theft or fraud, you should contact the company that maintains the account on your behalf or your local police.

You may have scheduled an appointment via an appointment request form on our UCLA Health website or mobile app.

UCLA Health has established a dedicated call center to answer questions. Community members who receive a notice and would like more information or who believe their personal health information may have been impacted may call the call center at 1-800-454-3581 Monday through Friday from 6 a.m. to 8 p.m. PT, and Saturday and Sunday from 8 a.m. to 5 p.m. PT. Please be prepared to reference engagement number B083805 when speaking with an agent.