Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients. The incident was caused by the improper use of Meta Pixel on AAH’s websites, where patients log in and enter sensitive personal and medical information. Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements. However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions. This privacy breach has taken the U.S. by storm, as Meta Pixel is used by many hospitals in the country, exposing millions of people to third parties and sparking class action lawsuits against the responsible organizations. In August 2022, U.S. healthcare provider Novant Health disclosed its improper use of Meta Pixel in its implementation of the ‘MyChart’ portal, exposing 1.3 million patients. The ‘MyChart’ patient portal is also used by AAH, along with another platform named ‘LiveWell,’ both of which had active Meta Pixel trackers. AAH’s data breach notification says that the following information may have been exposed via Meta Pixel:
- IP address
- Dates, times, and locations of scheduled appointments
- Proximity to an AAH location
- Medical provider information
- Type of appointment or procedure
- Communications between MyChart users, which may have included first and last names and medical record numbers
- Insurance information
- Proxy account information
