Threat Watch

Misconfigured Meta Pixel Leaked Healthcare Data

U.S. healthcare company Novant Health has announced a data breach impacting 1,362,296 patients whose private information was accidentally gathered by the Meta Pixel ad tracking script. Facebook advertisers can install the JavaScript monitoring script Meta Pixel (formerly known as Facebook Pixel) to their website to track the performance of their advertising. Unauthorized patient data access and disclosure started in May 2020, when Novant launched Facebook ad-based marketing campaigns to promote the COVID-19 vaccine. The healthcare company placed the Meta Pixel code on their website to track these advertisements and evaluate their performance. The ‘MyChart’ portal and the Novant Health website’s Meta pixel were incorrectly configured, transmitting privacy information to Meta and its advertising partners. The data that might have been disclosed by Meta Pixel includes email, phone numbers, IP addresses, emergency contacts information, appointment types, dates, selected physicians, portal menu selections, and any content typed into the “free text” boxes.

ANALYST NOTES

Sixty-four healthcare service providers in the United States use the MyChart portal, allowing users to schedule medical appointments, request prescription refills, get in touch with their clinicians, and access other services. Unfortunately, even people who haven’t used Novant’s services may still have been exposed due to the tracker’s improper configuration. The exposure persisted for two years before Novant’s IT employees realized the mistake and removed Meta pixel from its sites and portal in May 2022. Novant identified all impacted individuals after the investigation that was completed on June 17, 2022, and only those who received notices may consider themselves victims of a breach. The healthcare company claims that after numerous attempts to contact Meta regarding the deletion of the healthcare data, no response has been received. A class action lawsuit was recently launched in the United States against Meta and two hospitals, claiming that the tech giant and its partners knew they were gathering private data through Meta Pixel without getting the user’s permission. Although the lawsuit named two healthcare service providers as defendants, the scenario encompassed numerous hospitals engaging in such illegal tracking practices.

https://www.bleepingcomputer.com/news/security/misconfigured-meta-pixel-exposed-healthcare-data-of-13m-patients/