Facebook's Meta Pixel Tool Exposes 3 Million Patients In Horrific Healthcare Data Breach

facebook meta pixel exposes 3 million patients healthcare data breach news
Advocate Aurora Health (AAH), a healthcare provider with locations in Illinois and Wisconsin, has published a data breach notice to its website. However, rather than being the victim of a ransomware attack or some other form of unauthorized access, AAH has instead attributed the incident to a bit of JavaScript provided by Meta, Facebook’s parent company. The JavaScript in question is known as the Meta Pixel and serves to track user behavior on websites.

AAH, like many other healthcare providers, embeds the Meta Pixel in its websites in order to “measure and evaluate information concerning the trends and preferences of its patients as they use [its] websites.” However, according to AAH, it wasn’t until recently that the healthcare provider learned that Meta can sometimes access the extensive user behavior information collected by its pixel technology.

aurora medical center building news
Advocate Aurora Health hospital in Two Rivers, Wisconsin (source: Wikimedia Commons)

Since discovering the Meta Pixel’s information sharing practices, AAH has disabled and/or removed the pixel JavaScript from its websites and filed a data breach report with the US Department of Health and Human Services (HHS). The healthcare provider is also conducting an internal investigation aimed at determining exactly what patient information was shared with Meta.

The data breach notice states that “Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform.” However, AAH has decided it best to assume that all patients with AAH MyChart accounts, in addition to patients who have used scheduling widgets on any AAH platform, may have been affected by this data breach. So far, the healthcare provider has determined that the Meta Pixel may have shared the following information with Meta without patients’ knowledge:
  • IP addresses
  • Dates, times, and locations of scheduled appointments
  • Patient’s proximity to an AAH location
  • Information about patients’ providers
  • Types of appointments and procedures
  • Communications between patients and others through MyChart
  • First and last names
  • Medical record numbers
  • Insurance information
  • Proxy MyChart account information
AAH states that it has no evidence that the information shared with Meta has been misused in any way. The health care provider considers it “very unlikely” that this incident will lead to cases of identity theft or fraud, but nonetheless encourages patients to monitor their financial accounts for unexpected or suspicious activity.