U.S. Healthcare Provider Confirms Unauthorized Disclosure of 1.36 Million Patient Records to Meta

A healthcare provider has confirmed the impermissible disclosure of patient information to Meta through the misconfiguration of Meta Pixel tracking code on its website.

Earlier this year, The Markup published a report on an investigation into the use of Meta Pixel tracking code on the websites of hospitals. Meta Pixel is used to track user activity on websites and advertising performance; however, the data collected through Meta Pixel can be used to serve targeted adverts to individuals.  This is a problem when Meta Pixel is used on healthcare provider websites, as it has the potential to violate the HIPAA compliance requirements, which restricts uses and disclosure of health information.

The Markup’s investigation found that 33 of Newsweek’s top U.S. hospitals had used the Meta Pixel JavaScript code snippet on their websites, including some that added the code behind their password-protected patient portals. When patients visited those portals, information about the user and their interactions on the site was sent to Meta, including options selected from forms – such as the reason for arranging an appointment. That information potentially revealed individuals’ protected health information, and patients had not given their consent to have that information shared. Some allege they have been displayed personalized ads related to their medical conditions as a result, and multiple class action lawsuits have now been filed against healthcare providers that used Meta Pixel on their websites.

HIPAA has data breach reporting requirements. Breaches of protected health information must be reported to the HHS’ Office for Civil Rights and affected individuals notified about any such breach. Novant Health, a U.S. healthcare provider, has recently announced that the sensitive data of patients has been mistakenly collected and transmitted to Meta through the Meta Pixel code. Novant Health is the first healthcare provider to report a Meta Pixel-related data breach.

Novant Health said the impermissible disclosure of patient data was due to a misconfiguration, which inadvertently resulted in the disclosure of the protected health information of 1,362,269 individuals. The code had been added to the Novant Health website in May 2020 and was used to track promotional campaigns related to a COVID-019 vaccination program. That program also involved the use of Facebook ads, with the code used to evaluate the performance of the ad campaign. Meta Pixel code was misconfigured on the healthcare provider’s MyChart portal, which meant private information was transmitted to Meta, and that information was sent to Meta’s advertising partners.

Novant Health’s investigation confirmed the data sent included email addresses, IP addresses, phone numbers, emergency contact information, portal menu selections, appointment dates and types, selected physician, and any information submitted in the free text boxes. Since the portal is used by 64 healthcare service providers for booking appointments, getting prescription refills, and making contact with providers, individuals may have had their information transmitted even if they had not used Novant Health’s portal directly.

When the issue was discovered, the code was removed from the website; however, it had been present on the portal for around 2 years. The investigation into the breach concluded on June 17, 2022. Novant Health said it requested Meta delete the data but says, despite multiple attempts to make contact, no response was received.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of NetSec.news