Getty Images

Novant Health Notifies 1.3M Patients of Unauthorized PHI Disclosure Caused By Meta Pixel

Novant Health informed patients that the use of Meta pixel code, which was used in its patient portal, potentially resulted in an unauthorized disclosure of PHI.

North Carolina-based Novant Health notified 1.3 million patients that the use of Meta pixel code potentially led to unauthorized disclosure of protected health information (PHI). As previously reported, Facebook and its parent company Meta have been facing backlash over the configuration of its pixel tracker.

A report co-published by The Markup and STAT found evidence that the Meta pixel, a portion of JavaScript code that allows websites to track visitor activity, was being used on hundreds of hospital websites within patient portals.

With the tracker present within password-protected patient portals, packets of data were allegedly sent to Facebook whenever someone clicked a button to schedule a doctor’s appointment. Facebook received PHI, which could be linked to the user’s unique IP address. Meta is facing at least two lawsuits over the incident.

In its detailed notice to patients, which was issued “in an effort to be as transparent as possible,” Novant Health explained that it launched a promotional campaign in May 2020 to connect more patients to its Novant Health MyChart patient portal.

“This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook,” the notice explained.

“A pixel is a piece of code that organizations commonly use to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

Once it became aware that the pixel could have improperly transmitted information to Meta, Novant Health said it disabled and removed the pixel and launched an investigation. On June 17, Novant Health determined that it was possible that sensitive information was disclosed to Meta, depending on each user’s activity within the Novant Health website and patient portal.

The impacted information potentially included contact information, appointment details, computer IP addresses, information entered into free text boxes, and button and menu selections.

“Based on its investigation, Novant Health is unaware of any improper use or attempted use of any patient information by Meta or any other third party. According to Facebook’s Terms and Conditions, they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager,” Novant Health stated.

“However, to be safe and transparent, Novant Health is sending letters to all potentially impacted patients, including some who are patients of independent physicians and facilities who use the Novant Health MyChart medical record.”

Novant Health also noted that it had since implemented additional structure, governance, and policies surrounding the use of pixels.

Next Steps

Dig Deeper on Cybersecurity strategies