Advocate Aurora Health: PHI of up to 3 Million Patients Impermissibly Disclosed
Advocate Aurora Health says code snippets on its websites may have transmitted the protected health information of up to 3 million patients to third parties such as Facebook and Google without user consent. Like many other healthcare providers, Advocate Aurora Health added third-party snippets of code to its websites and applications for tracking user activity, including for identifying patient preferences and trends. Those code snippets included Meta Pixel – a snippet of JavaScript code provided by Meta/Facebook for tracking user activity on websites.
While this code can provide valuable information that can be used for improving websites, applications, and services, the code can send data to Meta which in turn may be provided to third parties for the purpose of serving targeted advertisements. It is unclear if that was the case with the data unwittingly sent to Meta through Meta Pixel on Advocate Aurora Health websites and applications was used to serve patients with targeted advertisements, but the investigation did confirm that patient data had been sent to Meta and others that could allow patients to be identified, which is potentially a violation of the HIPAA Privacy Rule.
The issue came to light following the publication of a report by the Markup/STAT into the use of Meta Pixel code on healthcare provider websites. The investigation confirmed that one-third of the top 100 hospitals in the United States had added the code to their websites, including 6 hospitals/health systems that had put the code behind the authentication required for their patient portals, such as on pages housing patient scheduling forms.
The user activity that was tracked included information from drop-down boxes on web forms that were selected by patients. For instance, when scheduling an appointment, if the reason for the appointment was selected, or an inquiry was made about a specific medical condition, that information may have been transmitted along with information that allowed that patient to be identified, such as their IP address.
Advocate Aurora Health said code from several third-party vendors had been used on its websites, which collected information such as IP addresses, dates, times, and locations of scheduled appointments, patients’ proximity to an Advocate Aurora Health location, and communications between patients and others within MyChart, which may have included medical record numbers and insurance information.
In order for information to have been disclosed, a patient would have needed to have visited the website or used an application and performed certain activities. The decision was taken to issue notifications to all 3 million patients who could potentially have been affected out of an abundance of caution. Advocate Aurora Health said it has removed the code from its websites and has established a more stringent vetting process, which will be applied if it considers using third-party tracking code on its websites and applications in the future.
Advocate Health is not the only healthcare provider to have issued notifications related to the use of Meta Pixel and other tracking code on websites. Earlier this year, Novant Health notified 1.3 million patients that their PHI may have been impermissibly disclosed in a similar fashion. WakeMed Health and Hospitals has also recently reported a similar breach affecting 500,000 patients.
Meta is currently facing scrutiny over its tracking code. Several Senators have written to Meta demanding answers about potential privacy violations, and the North Carolina Attorney General is investigating claims that hospitals in The Triangle have been impermissibly sharing data with Facebook.