A second health system has announced that patient data has been impermissibly passed to Meta (Facebook) as a result of the inclusion of Meta Pixel tracking code on its website. First came Novant Health, with its admission that the protected health information of 1.36 million patients had been sent to Meta. Now, Advocate Aurora Health has confirmed that it too included the tracking code, which resulted in the impermissible disclosure of the protected health information of up to 3,000,000 patients. These two healthcare systems are far from the only ones affected by the use of Meta Pixel and other third-party tracking code on their websites.
An analysis, published by The Markup/STAT in June suggested one-third of the top 100 hospitals in the United States had included the code on their websites, including at least 6 that had incorporated the code within their password-protected patient portals. Following the discovery, patients affected by the breach took legal action against their healthcare providers and Meta over the impermissible disclosure. In some cases, their personal and private information was used to serve them target advertisements related to their medical conditions, as a result of their interactions on the websites of their healthcare providers. Lawsuits have been filed against Meta and Medstar Health System in Maryland, and Meta and UCSF Medical Center/ Dignity Health Medical Foundation.
Meta Pixel is a snippet of JavaScript code that website owners can add to their websites and web applications for the purpose of tracking visitor activity. In the case of healthcare providers, the code can be used for tracking the performance of advertising campaigns, as was the case with Novant Health, or identifying trends and preferences of patients. However, some of the data collected involved choices made via drop-down selection in web forms, which may have included information about medical conditions, and that information may have included personal identifiers.
The data collected through the Meta Pixel code snippet is sent to Meta, and that information may be made available to advertisers and used to serve targeted adverts. Meta has explained that it has technology in place to detect and identify data that it is not authorized to receive – such as medical information – which is stripped out and not made available to advertisers if it is detected. However, that does not appear to have always happened, according to the allegations made in the lawsuits.
There are two issues here: Consent had not been obtained from patients prior to their data being shared with Meta/Facebook and other third parties, and patients’ protected health information was impermissibly disclosed to Meta/Facebook or others when there was no business associate agreement in place, both of which are violations of the Health Insurance Portability and Accountability Act (HIPAA).
Advocate Aurora Health Breach Notification
Advocate Aurora Health is a non-profit health system with dual headquarters in Downers Grove, IL, and Milwaukee, WI. Advocate Aurora Health operates 27 hospitals, more than 500 outpatient locations, and serves around 3 million patients, all of whom may have been affected.
Advocate Aurora Health explained in its breach notification letters that Meta Pixel code was added to its website and applications “to understand how patients and others interact with our websites,” and for “identifying trends and preferences of patients.” Advocate Aurora Health also pointed out that many other hospitals and health systems had also used the code snippets on their websites and applications for similar purposes.
Advocate Aurora Health said it discovered that when individuals interacted with its websites and web applications while signed into their Google or Facebook accounts, in addition to data about their interactions on the websites and applications being shared with Google and Facebook/Meta, their identities would also have been disclosed. In some cases, those interactions may have included disclosures of protected health information.
“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” explained Advocate Aurora Health. When this was discovered, the code snippets were either disabled or removed from its websites and web applications, and an internal investigation was launched to determine the extent to which patient data had been transmitted to third-party vendors.
Advocate Aurora Health explained that, out of an abundance of caution, the decision was taken to issue notifications to all patients who had an Advocate Aurora Health MyChart account, used the LiveWell application, or the scheduling widgets on its web platforms. The extent to which those patients were affected, if at all, depends on their interactions with the website and whether they were logged into their Google or Facebook accounts at the time.
Patients affected may have had one or more of the following types of information transmitted to Google, Facebook/Meta, or others:
- IP address
- Dates, times, and/or locations of scheduled appointments
- Proximity to an Advocate Aurora Health location
- Information about a patient’s provider
- Type of appointment or procedure
- Communications through MyChart, which may have included their first and last name and medical record number
- Information about whether the patient was insured
- If a patient had a proxy MyChart account, the patient’s first name and the first name of the patient’s proxy.
Advocate Aurora Health said its investigation indicates no Social Security numbers, financial account information, or credit/debit card information was impermissibly disclosed. Advocate Aurora Health said it has now implemented an enhanced, robust technology vetting process for any tracking technologies that it considers using in the future to ensure similar privacy violations do not occur again.
The post Advocate Aurora Health: Website Tracking Code May Have Impermissibly Disclosed PHI of 3 Million Patients appeared first on HIPAA Journal.