Advocate Aurora Health has recently announced that patient data has been impermissibly disclosed to Meta/Facebook and Google as a result of the use of third-party tracking code snippets on its websites and web applications. The breach has affected up to 3 million patients, making it the largest breach to be reported by a single healthcare provider this year.
The Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule permits certain disclosures of identifiable protected health information (PHI) for limited reasons – disclosures related to treatment, payment, or healthcare operations. Other disclosures require patient content. In this case, the use of the code snippets on the website involved identifiable protected health information being disclosed to third parties without patient consent, in violation of the HIPAA Rules.
Advocate Aurora Health added third-party code snippets to its websites and web applications to track visitors’ interactions, identify trends, and discover patient preferences. Earlier this year, Advocate Aurora Health learned that when visitors to its website were logged in to their Google or Facebook accounts, information collected related to their website interactions was transmitted to third parties along with information that allowed those patients to be identified. One of the code snippets used was Meta Pixel from Meta/Facebook.
“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” said Advocate Aurora Health in its website breach notice.
Advocate Aurora Health operates 27 hospitals and more than 500 outpatient centers, providing healthcare services to around 3 million patients. The healthcare provider took the decision to notify all 3 million patients about the use of this code snippet out of an abundance of caution. Patients that were not logged in to their Facebook or Google account when visiting the website may not have had identifiable information disclosed.
The nature of the disclosures would have been limited to their interactions on the website. Advocate Aurora Health said the disclosures were limited to IP address, dates, times, and/or locations of scheduled appointments, the patient’s proximity to an Advocate Aurora Health location, information about a patient’s provider, the type of appointment or procedure, communications that occurred through MyChart, which may have included first and last name and medical record number, the patient’s insurance status, and if a patient had a proxy MyChart account, the patient’s first name and the first name of the patient’s proxy.
Advocate Aurora Health has enhanced its processes for vetting technologies and will ensure that any future tracking technology it uses will be fully assessed to ensure patient privacy is not violated and has removed the code from its websites.
A Widespread Privacy Violation
Advocate Aurora Health is not the only healthcare organization to declare a data breach of this nature this year, and it is unlikely to be the last. Earlier this year, Novant Health announced that it installed Meta Pixel on its website and a misconfiguration resulted in the impermissible disclosure of the protected health information of 1.36 million patients to Meta. A study jointly conducted by The Markup/STAT earlier this year revealed one-third of the top 100 hospitals in the United States had similarly used Meta Pixel on their websites, including 7 that added the code to their patient portals. Advocate Aurora Health was not on the original list of healthcare providers that had added the code to their patient portals.
These privacy breaches have sparked multiple lawsuits from patients whose privacy has been violated, some of whom claim to have been served targeted ads on Facebook based on their interactions on the websites of their healthcare providers. Meta responded to these claims by stating that when data is transmitted to the company that it is not authorized to receive, that information is not passed on to advertisers for the purpose of serving targeted adverts.
The investigation by The Markup/STAT has seen Meta face Senate security over the data transmitted to the company by healthcare providers. Since publishing its report, most of the 33 hospitals that had the code snippet on their website have removed the code or blocked the transmission of data to Meta.