EHR Patient Data Found for Sale Online, Browser Extensions Found to Be Source of Leak


October 11th, 2019

EHR patient data was found for sale online according to a new investigation. Ensure you are safeguarding your sensitive data and compliant with HIPAA.


The Washington Post recently posted an alarming story relating to EHR patient data being sold online. The culprit? Web browser extensions. The Post reports that as many as four million people have browser extensions that sell their every click.

The investigation prompted a notification to Google and Mozilla, which reported that they had closed these leaks immediately. However, many more could be out there.

Plug-Ins Make Life Easier

The beauty of integrating plug-ins into your web browser is that they should make your life online easier. Many of you probably use them to store passwords with a platform like 1Password.

The problem is that most users install these add-ons believing Chrome or Internet Explorer offer them, so they must be legitimate. While many are, some extensions are doing extra duty.

The Data Economy

Once these plug-ins have a window into your browsing, they can pass of information about where you spend your time. So much activity occurs in your browser. If you’re in the healthcare field, you are probably using your EHR within your browser, which means data brokers could be viewing protected information.

That’s exactly what the Washington Post reporter found. In his article, he shared that he found the names of patients, doctors, and even medications. With this data available and for sale on data broker sites, it’s clear that a data breach has occurred. And not one that many would have expected.

How Many Extensions Are Leaking Private and Sensitive Data?

ehr patient data google

While the  Washington Post only found a handful of extensions with nefarious dealings, a North Carolina State University study of the 180,000 Chrome extensions found that there were 3,800 problematic add-ons. Not all of these are extensions are doing something illegal. Many of them make it known to users that they are collecting data based on their search history. But of those 3,800 add-ons, the study found that at least 382 were in the data sales business. However, there is no regulation that prevents them from doing this.

What You Can Do to Protect Your Sensitive Data

EHR patient data is private and protected. Should it fall into the wrong hands, you could be liable and be found to be noncompliant with HIPAA. To prevent extension-related leaks, your organization should have security guidelines in place about what extensions a user can add. Your IT team may decide to whitelist some like password savers.

But this due diligence should extend to your vendors as well, especially if you are expected to initiate a data conversion in the future. In a data conversion, a data management company pulls data from an old EHR system and then formats and prepares it for loading into your new system. You should ask about their policy on browser extensions for added peace of mind.

Data leaks happen, but there are many things you can do to keep your EHR patient data safe. One of which is limited browser extension integrations. Be sure to update your policy immediately to protect your data.

< Return to Blog Page