Non-profit healthcare provider Advocate Aurora Health is informing 3 million individuals that a malformed tracking pixel has inadvertently exposed protected health information (PHI) to Facebook or Google.
Headquartered in Milwaukee, Wisconsin, and Downers Grove, Illinois, Advocate Aurora Health operates 26 hospitals and over 500 sites of care, and has more than 75,000 employees.
In a data breach notification on its website, the healthcare system is informing patients that an incorrectly configured tracking pixel – placed on the MyChart and LiveWell websites and applications and on some scheduling widgets – exposed some of their information.
The pixel, the company says, “transmitted certain patient information to third-party analytics vendors that provided us with the pixel technology, particularly for users concurrently logged into their Facebook or Google accounts.”
Potentially exposed information includes IP addresses, information on scheduled appointments, patient proximity to an Advocate Aurora Health location, provider data, type of appointment or procedure, MyChart communications (including names and medical record numbers), insurance details, and the names of patient proxies.
Advocate Aurora Health says it has no evidence that Social Security numbers or financial account and credit/debit card details were exposed in the incident.
“We have disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors,” the healthcare provider says.
Advocate Aurora Health says it has found no evidence that the exposed data has been misused and also notes that the misconfiguration is unlikely to lead to identity theft or financial harm.
In its data breach notice, Advocate Aurora Health says that it’s informing all patients about the incident. In a filing with the US Department of Health and Human Services, the organization said that three million individuals were impacted.
Advocate Aurora Health is only one of the tens of healthcare providers in the US using similar malformed tracking pixels.
In August, Novant Health informed over 1.3 million individuals of similar PHI exposure, but the issue likely impacts more than 26 million patients at over 30 of the top 100 hospitals in the country.
Related: Australian Health Insurer Medibank Admits Customer Data Stolen in Ransomware Attack
Related: Novant Health Says Malformed Tracking Pixel Exposed Health Data to Meta
Related: New York Emergency Services Provider Says Patient Data Stolen in Ransomware Attack