Meta Pixel Code on Novant Health Website Disclosed Data of 1.3 Million Patients to Meta

Novant Health has notified more than 1.3 million patients that some of their protected health information has been impermissibly disclosed to Meta (Facebook) without authorization due to the misconfiguration of Meta Pixel code on its website.

The North Carolina healthcare provider had added a snippet of JavaScript code to its website – Meta Pixel – to track visitors on the website and monitor the success of its advertising campaign on Facebook.  The code was added to the website in May 2020 when a promotional campaign was launched with the goal of improving access to care through virtual visits, and to provide increased accessibility to counter the limitations of in-person care. The campaign included advertisements on Facebook, and the Meta Pixel code was used to understand the success of those adverts.

The code was added to the Novant Health MyChart patient portal, but it was incorrectly configured, which allowed certain private information of users of the portal to be transmitted to Facebook. Facebook is not a business associate of Novant Health, and authorization to transmit private information was not obtained from patients.

When Novant Health learned that private information was being sent to Facebook, the code was immediately removed from the website and an investigation was launched into the privacy breach. On June 17, 2022, Novant Health determined that the code had transmitted sensitive information to Meta, which potentially included the following types of information:

Demographic information, including email address, phone number, computer IP address; contact information entered into Emergency Contacts or Advanced Care Planning; information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes. The nature of data transmitted depended on the interactions of patients on the website.

Novant Health said it is unaware of any improper use of patient information by Meta or any other third parties. It is possible that in addition to the disclosure to Meta, the information may have been disclosed to advertisers on Facebook.

Novant Health said Meta has filters in place that block sensitive information transferred through Meta Pixel to ensure the information is not passed to their Ad Manager; however, as a precaution and to ensure transparency, the decision was taken to notify all 1,362,296 patients who were potentially affected. Policies have since been updated regarding the use of website code to prevent any further data breaches.

At least two lawsuits have been filed against healthcare providers over the use of Meta Pixel on their patient portals this year, and Meta is facing backlash over the use of the code by healthcare providers. An investigation into the use of Meta Pixel code by The Markup and STAT found the code had been used on hundreds of healthcare provider websites, including around a dozen that had the code installed behind password-protected patient portals.