PHI of 3 Million Advocate Aurora Health Patients Impermissibly Disclosed Because of Meta Pixel Tracking Code

First, Novant Health stated that the protected health information (PHI) of 1.36 million individuals was transmitted to Meta. Now, Advocate Aurora Health is the second to confirm that it also put the Meta Pixel tracking code on its web page, which led to impermissible disclosure of the PHI of around 3,000,000 individuals. Both healthcare systems aren’t the only entities impacted by using Meta Pixel or other third-party tracking codes on their web pages.

The Markup/STAT published an analysis in June indicating that 33% of the United States’ top 100 hospitals had put the code on their web pages, and at least 6 had used the code inside their password-protected patient websites. Right after knowing this, patients impacted by the breach filed a lawsuit against their healthcare companies and Meta due to the impermissible disclosure of their PHI. In a few instances, their personal and confidential data was employed in serving them target ads associated with their health problems, resulting from their usage of their healthcare providers’ websites. Meta and Dignity Health Medical Foundation/UCSF Medical Center, and Meta and Medstar Health System based in Maryland are currently facing lawsuits.

Meta Pixel is a piece of JavaScript code added to websites and web apps by website owners to track visitor activity. Adding the code to healthcare providers’ websites allows the monitoring of the performance of ad campaigns, as was the instance with Novant Health, or determining trends and personal preferences of individuals. Nevertheless, a number of the collected data involved options made through drop-down choices in web forms, which could have contained data regarding health conditions, and that data might have contained personal identifiers.

The data gathered via the Meta Pixel code snippet is provided to Meta, and that data could be shared with advertisers and employed to provide targeted ads. Meta has mentioned that it has systems set up to identify and determine which data it isn’t permitted to get – for instance, medical data – which is removed and not provided to advertisers when it is discovered. Nevertheless, that doesn’t seem to have always occurred, based on the claims included in the lawsuits.

The two issues in this lawsuit, which violates the Health Insurance Portability and Accountability Act (HIPAA) are:
No patient consent was obtained before sharing their data with Meta/Facebook and third-party apps
Patients’ PHI was impermissibly disclosed to Meta/Facebook or other parties without a signed business associate agreement

Advocate Aurora Health Sends Breach Notification

Advocate Aurora Health is a not-for-profit health system having two headquarters located in Milwaukee, WI, and Downers Grove, IL. Advocate Aurora Health manages 27 hospitals, and over 500 outpatient facilities, and serves about 3 million patients. All patients were affected by the data breach.

In its breach notification letters, Advocate Aurora Health mentioned that its website and applications used the Meta Pixel code to know how patients and other people use their websites and to identify trends and patient preferences. Advocate Aurora Health additionally noted that a lot of other hospitals and health systems also added code snippets to their web pages and programs for the same reasons.

Advocate Aurora Health discovered that when people used its websites and applications while logged into their Facebook or Google accounts, their information related to their interactions on the web pages and applications (i.e. MyChart account and LiveWell application), including their identities are shared with Google and Facebook/Meta. In certain instances, the interactions included PHI. Upon knowing this, it disabled or removed the code snippets from its web pages and applications. An internal investigation was started to find out the scope of transmitted patient data to third-party vendors.

Advocate Aurora Health revealed that as a safety precaution, it decided to issue breach notifications to all individuals with an Advocate Aurora Health MyChart account and utilized the LiveWell app or the booking widgets.

The affected patients might have had at least one of these types of data sent to Facebook/Meta, Google, or other apps:

  • Dates, times, and/or locations of booked visits
  • IP address
  • Proximity to an Advocate Aurora Health facility
  • Data related to a patient’s healthcare provider
  • Type of visit or procedure
  • Communications via MyChart, which could have contained medical record numbers, first and last names
  • Data about the patient’s insurance, if any
  • Whether a patient used a proxy MyChart account, the first name of the patient and the patient’s proxy.

Advocate Aurora Health stated its investigation shows there were no financial account details, credit/debit card details, or Social Security numbers impermissibly disclosed. It also put in place an improved, robust technology vetting procedure when considering any tracking technologies it may use later on to make sure privacy violations don’t happen again.

About Christine Garcia 1299 Articles
Christine Garcia is the staff writer on Calculated HIPAA. Christine has several years experience in writing about healthcare sector issues with a focus on the compliance and cybersecurity issues. Christine has developed in-depth knowledge of HIPAA regulations. You can contact Christine at [email protected]. You can follow Christine on Twitter at