Getty Images

3M Advocate Aurora Health Patients Face PHI Exposure Tied to Tracking Pixels

Advocate Aurora Health discontinued its use of tracking pixels after discovering that they potentially resulted in patient PHI exposure.

Advocate Aurora Health notified 3 million patients of a data breach that resulted in potential protected health information (PHI) exposure.

The breach stemmed from the nonprofit health system’s use of Google and Meta (Facebook’s parent company) tracking pixels, which are commonly used tools for targeted marketing and tracking visitor activity.

In August, North Carolina-based Novant Health notified 1.3 million patients that the use of Meta pixel code on its website also potentially exposed PHI.

Background

As previously reported, a co-published report by The Markup and STAT discovered that the Meta pixel tracker was being used on hundreds of hospital websites. While the use of pixels is common, the report found the pixel installed inside multiple password-protected patient portals and scheduling forms.

With the tracker present, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook allegedly received highly sensitive protected health information (PHI), including medical conditions and doctors’ names, which could all be linked to the user’s unique IP address.

Novant Health’s notification noted that Facebook’s terms and conditions state that “they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager.”

Even so, the findings sparked significant data privacy concerns, questions arose about whether Facebook had HIPAA business associate agreements (BAAs) in place with the hospitals. Facebook is now facing multiple lawsuits related to the findings.

Advocate Aurora Health Provides Breach Notice

Advocate Aurora Health explained that it had previously used the services of several third-party vendors to “measure and evaluate information concerning the trends and preferences of its patients as they use our websites.”

To do so, those third-party vendors utilized pixels to gather information. Advocate Aurora Health later learned that pixels or similar technologies installed on its patient portals and scheduling widgets transmitted certain information to the vendors that provided the technology.

The information involved potentially included IP addresses, patients’ proximity to an Advocate Aurora Health location, dates, times, and locations of scheduled appointments, and communications between patients and others within MyChart, which could have included medical record numbers and insurance information.

Advocate Aurora Health disabled the pixels and launched an internal investigation in order to “better understand what patient information was transmitted to our vendors.”

“Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health’s platforms, may have been affected,” the health system explained.

Patients may have been impacted differently depending on their choice of and configuration of browser, use of cookies, and whether they have Facebook or Google accounts.

“You can protect yourself from online tracking by blocking or deleting cookies or using browsers that support privacy-protecting operations, such as incognito mode,” the notice advised patients. “You can also adjust your privacy settings in Facebook and Google.”

Advocate Aurora Health said that any future use of tracking technologies will be evaluated under the health system’s “enhanced, robust technology vetting process.”

WakeMed Health and Hospitals Notifies Patients

Advocate Aurora Health was not the only health system to notify patients of a data security incident relating to the use of tracking pixels in the past week. WakeMed Health and Hospitals, a North Carolina-based health system, notified an unspecified number of patients of a similar incident.

WakeMed explained that it, like many other companies, installed Facebook’s pixel on its website and patient portal with the intention of helping the health system better connect patients to its patient portal and improve access to care.

“Unfortunately, the pixel’s software code may have also transmitted some of the information entered into the MyChart patient portal and appointment scheduling page back to Facebook,” the notice explained.

The pixel potentially transmitted information such as email addresses, IP addresses, allergy and medication information, COVID vaccine status, and information about upcoming appointments. As a precaution, WakeMed notified all patients who logged into a WakeMed MyChart account or scheduled an appointment on its website between March 2018 and May 2022 of the incident.

“WakeMed proactively disabled Facebook’s pixel in May 2022 and has no plans to use it in the future without confirmation that the pixel no longer has the capacity to transmit potentially sensitive or identifiable information,” the health system stated.

“WakeMed has initiated a comprehensive review of our policies and procedures related to gathering website user data and will make changes as needed to enhance privacy and prevent a situation like this from happening in the future.”

WakeMed said it was unaware of any improper use of patient information by Meta or any other party.  

Next Steps

Dig Deeper on Healthcare data breaches