Advocate Aurora Health—headquartered in Downers Grove, Ill., and Milwaukee—said on its website in a statement that it installed “pixels” on its website that possibly breached the data of up to 3 million patients. Journalists began reporting the breach earlier this week.
An investigation was published by The Markup in June and found that 33 of the top 100 hospitals in the U.S. use the Meta Pixel on their websites, including seven hospitals that installed it on password-protected patient portals. The investigation found that Meta Pixel was sending information about patient health conditions, medical appointments, and medication allergies to Facebook.
The statement from Advocate Aurora says that “Advocate Aurora Health is writing to provide transparency in its previous use of the Internet tracking technologies, such as Google and Meta (Facebook), that we and many others in our industry had implemented to understand how patients and others interact with our websites. These technologies disclose certain details about interactions with our websites, particularly for users that are concurrently logged into their Google or Facebook accounts and have shared their identity and other surfing habits with these companies. When using some Advocate Aurora Health sites, certain protected health information (“PHI”) would be disclosed in particular circumstances to specific vendors because of pixels on our websites or applications. Information about these technologies and steps that individuals may take to further protect their health information can be found in our FAQ.”
“In an effort to deliver high quality services to its community, Advocate Aurora Health uses the services of several third-party vendors to measure and evaluate information concerning the trends and preferences of its patients as they use our websites,” the statement continues. “To do so, pieces of code known as ‘pixels’ were included on certain of our websites or applications. These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population. We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology. We have disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors.”
The statement says that the information involved in the incident includes IP addresses; dates, times, and/or locations of scheduled appointments; patients’ proximity to an Advocate Aurora location; information on patients’ provider; type of appointment or procedure; and communications between patients’ and providers through MyChart, which may have included first and last name, medical record number, insurance information, proxy MyChart accounts. No social security numbers, financial accounts, credit card or debit card information, according to the release, was involved in the incident.
As to what patients of the organization can do, the statement says that “You can protect yourself from online tracking by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as incognito mode. You can also adjust your privacy settings in Facebook and Google.”
On Oct. 14, the breach was submitted to the HHS Office of Civil Rights.
In August, we reported that “Damages may be payable to any patient whose PII and PHI data was scraped by Meta Pixel. According to an Aug. 2 article from The Verge by Nicole Wetsman, Facebook’s parent company Meta and a number of U.S. hospitals violated medical privacy laws with a tracking tool that sends health information to Facebook, two proposed class-action lawsuits claim.”
Wetsman reports that “The lawsuits, filed in the Northern District of California in June and July, focus on the Meta Pixel tracking tool. The tool can be installed on websites to provide analytics on Facebook and Instagram ads. It also collects information about how people click around and input information into those websites.”
An Oct. 20 article from Bleeping Computer by Bill Toulas says that “In August 2022, U.S. healthcare provider Novant Health disclosed its improper use of Meta Pixel in its implementation of the 'MyChart' portal, exposing 1.3 million patients.”
Toulas adds that “The 'MyChart' patient portal is also used by AAH, along with another platform named 'LiveWell,' both of which had active Meta Pixel trackers.”