Facebook's Meta Pixel Tool Exposes 3 Million Patients In Horrific Healthcare Data Breach
Advocate Aurora Health (AAH), a healthcare provider with locations in Illinois and Wisconsin, has published a data breach notice to its website. However, rather than being the victim of a ransomware attack or some other form of unauthorized access, AAH has instead attributed the incident to a bit of JavaScript provided by Meta, Facebook’s parent company. The JavaScript in question is known as the Meta Pixel and serves to track user behavior on websites.
AAH, like many other healthcare providers, embeds the Meta Pixel in its websites in order to “measure and evaluate information concerning the trends and preferences of its patients as they use [its] websites.” However, according to AAH, it wasn’t until recently that the healthcare provider learned that Meta can sometimes access the extensive user behavior information collected by its pixel technology.
AAH, like many other healthcare providers, embeds the Meta Pixel in its websites in order to “measure and evaluate information concerning the trends and preferences of its patients as they use [its] websites.” However, according to AAH, it wasn’t until recently that the healthcare provider learned that Meta can sometimes access the extensive user behavior information collected by its pixel technology.

Since discovering the Meta Pixel’s information sharing practices, AAH has disabled and/or removed the pixel JavaScript from its websites and filed a data breach report with the US Department of Health and Human Services (HHS). The healthcare provider is also conducting an internal investigation aimed at determining exactly what patient information was shared with Meta.
The data breach notice states that “Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform.” However, AAH has decided it best to assume that all patients with AAH MyChart accounts, in addition to patients who have used scheduling widgets on any AAH platform, may have been affected by this data breach. So far, the healthcare provider has determined that the Meta Pixel may have shared the following information with Meta without patients’ knowledge:
The data breach notice states that “Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform.” However, AAH has decided it best to assume that all patients with AAH MyChart accounts, in addition to patients who have used scheduling widgets on any AAH platform, may have been affected by this data breach. So far, the healthcare provider has determined that the Meta Pixel may have shared the following information with Meta without patients’ knowledge:
- IP addresses
- Dates, times, and locations of scheduled appointments
- Patient’s proximity to an AAH location
- Information about patients’ providers
- Types of appointments and procedures
- Communications between patients and others through MyChart
- First and last names
- Medical record numbers
- Insurance information
- Proxy MyChart account information