WakeMed Health and Hospitals, a health system with multiple healthcare facilities in metropolitan Raleigh, NC, has recently notified around 495,000 patients that some of their protected health information may have been impermissibly disclosed to Meta/Facebook due to the use of Meta Pixel tracking code on its website.
The privacy violation was announced by the health system on October 14, 2022, with WakeMed stating that the code was first added to its website and MyChart patient Portal in March 2018. The code is used to gather information on user activity on websites, which is achieved through the use of cookies. WakeMed said the code was added for website optimization and to, “better connect members of our community with WakeMed’s MyChart patient portal, thereby improving access to their health care, and to help improve the WakeMed website.”
The problem, as many healthcare systems have discovered, is that in addition to tracking user activity, the snippet of JavaScript code also transmits data to Meta/Facebook, which potentially includes sensitive patient information and information that can allow patients to be identified. According to WakeMed, that information included information entered by patients in the MyChart patient portal and on the appointment scheduling page.
The types of information transmitted depended on patients’ interactions on the website, their use of forms, and the data selected or entered when scheduling appointments. WakeMed said the information transmitted to Meta/Facebook may have included one or more of the following: email address, phone number, other contact information, IP address, emergency contact information, information provided during online check-in (e.g., allergy or medication information), COVID vaccine status, information about an upcoming appointment (e.g., appointment type and date, physician selected, and button/menu selections), and any information added to free text boxes.
WakeMed said its investigation was unable to determine whether Meta or Facebook collected or used any of the information transmitted by the Meta Pixel code. Meta has previously stated that if it identifies any information it is not authorized to receive, the information will not be used or provided to third parties for uses such as serving targeted advertisements. Multiple lawsuits have been filed against other healthcare organizations that claim targeted advertisements have been served using Meta Pixel-collected data.
WakeMed said that after becoming aware of the issue, the Meta Pixel code was stripped from its website in May 2022 and that there are no further plans to use the code unless it can be confirmed that there is no potential for it to transmit sensitive data. Policies and procedures have also been implemented that involve comprehensive reviews of code before it is added to its website to prevent similar situations in the future. The North Carolina Attorney General has launched an investigation into the incident.
Wakemed joins Novant Health and Aurora Advocate Health in issuing notifications to patients about impermissible disclosures of PHI due to the use of Meta Pixel and other tracking code and, this is unlikely to be the last such announcement by a healthcare provider. A study conducted by The Markup/STAT on the top 100 hospitals in the United States found one-third had used Meta Pixel code on their websites.
The post WakeMed Announces Meta Pixel-Related Breach Affecting 495,000 Patients appeared first on HIPAA Journal.