Advocate Aurora Health (AAH), an Illinois and Wisconsin-based healthcare provider, has posted a data breach notice on its website. AAH has instead attributed the incident to a piece of JavaScript provided by Meta, Facebook’s parent company, as opposed to a ransomware attack or other form of unauthorized access. The Meta Pixel JavaScript in question is used to track the behavior of website visitors.
Similar to many other healthcare providers, AAH embeds the Meta Pixel in its websites to “measure and evaluate information regarding the trends and preferences of its patients as they use [its] websites.” According to AAH, the healthcare provider only recently discovered that Meta can sometimes access the extensive user behavior data collected by its pixel technology.
AAH has disabled and/or removed the pixel JavaScript from its websites and filed a data breach report with the US Department of Health and Human Services since discovering the Meta Pixel’s information-sharing practices (HHS). Additionally, the healthcare provider is conducting an internal investigation to determine precisely which patient information was shared with Meta.
The data breach notification states, “Users may have been affected differently depending on their choice of browser; the configuration of their browsers; their blocking, clearing, or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform.” AAH has determined that it is prudent to assume that all patients with AAH MyChart accounts and patients who have used scheduling widgets on any AAH platform may have been affected by this data breach. The healthcare provider has determined that Meta Pixel may have shared the following patient information with Meta without their consent:
- IP addresses
- Dates, times, and locations of scheduled appointments
- Patient’s proximity to an AAH location
- Information about patients’ providers
- Types of appointments and procedures
- Communications between patients and others through MyChart
- First and last names
- Medical record numbers
- Insurance information
- Proxy MyChart account information
AAH asserts that it has no evidence that the information shared with Meta was utilized inappropriately. The health care provider deems it “extremely unlikely” that this incident will lead to identity theft or fraud, but encourages patients to monitor their financial accounts for unusual or suspicious activity nonetheless.
