Advocate Aurora says 3M patients' health data possibly exposed through tracking technologies

Advocate Aurora Health gave notice to patients that their health data may have been exposed through tracking technology. 

Up to 3 million patients may have been impacted in the breach against the health system, which is one of the Chicago area’s largest healthcare providers.

Advocate Aurora explained in a statement on its website that through the use of internet tracking technologies certain interactions on the provider’s website were leaked. The technologies from companies like Google and Facebook’s parent company Meta put pieces of code, called pixels, on certain websites and applications.

"These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population," the health system said in the online statement. "We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology."

The health system said it has disabled and/or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted to third-party vendors.

“Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health’s platforms, may have been affected,” Advocate Aurora Health officials wrote in the statement.

In an Oct. 14 filing with the U.S. Department of Health and Human Services' Office for Civil Rights, Advocate Aurora Health indicated the data breach of its electronic medical records system could affect 3 million people, the entirety of its patient base.

Advocate Aurora is a 27-hospital healthcare system in Wisconsin and Illinois with over 500 sites of care and $14 billion in annual revenue.

An initial investigation into the extent of the damage has been launched with all related technology currently disabled or removed from the health system’s platforms. It is not yet clear whether patient choice of browser, browser configuration, cookie usage, Facebook or Google accounts or the specific actions of users played a role in the release of their data, health system officials said.

Sensitive information including IP address, physical location, name and protected health information may have been exposed for the 3 million patients in question. While the investigation will reveal the extent of the breach, Advocate Aurora wrote in the related statement that it believes Social Security numbers, financial accounts and credit card or debit card information were not involved in this incident.

“These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident,” health system officials wrote.

Meta Pixel is a JavaScript tracker that is used to track user movement within a site in order to improve patient experience and website operability. A similar breach was reported by Novant Health in August with 1.3 million patients’ data exposed to Google and Meta along with their vast number of third party vendors.

A long string of complaints and lawsuits against hospitals and Meta for collecting data on hospital websites has included UCSF Medical Center, Dignity Health, Northwestern Memorial Hospital and Baltimore’s Medstar Health System. Litigants claim that the data acquired violates the Health Insurance Portability and Accountability Act.

A report from the investigative newsroom The Markup claimed that the Meta Pixel tracker was, until recently, included in the online scheduling tools of roughly a third of the country’s top hospitals.

Advocate Aurora had advised patients to use browser tracker-blocking features or incognito mode when logging into medical portals. It also suggests that those Facebook or Google accounts examine their privacy settings.