Advocate Aurora Health (AAH), a 26-hospital healthcare group in Wisconsin and Illinois, is informing its patients of a data breach that disclosed 3,000,000 individuals’ personal information.

The incident occurred as a result of the incorrect usage of Meta Pixel on AAH’s websites, where patients log in and provide sensitive personal and medical information.


What Does Meta Pixel Do?

Meta Pixel is a JavaScript tracker that lets website owners see how users use the site and make improvements. The tracker also sends sensitive information to Meta (Facebook), which is then shared with a huge network of marketers who send ads that are relevant to the patients’ conditions.

As Meta Pixel is used by multiple hospitals across the United States, this data breach has sent shockwaves through the country, exposing the personal information of millions of people to unauthorized parties and generating class action lawsuits against the companies at fault.

According to Bleeping Computer, in August 2022, Novant Health, a U.S. health care provider, admitted that it had used Meta Pixel incorrectly when putting together the “MyChart” portal, putting 1.3 million patients at risk. AAH also uses the “MyChart” patient portal and the “LiveWell” platform, which both had active Meta Pixel trackers.

What Data Has Been Exposed?

According to AAH’s data breach statement, the following information may have been exposed through Meta Pixel:

  • Internet Protocol (IP) address
  • Scheduled appointment dates, times, and locations
  • Proximity to an AAH facility
  • Information about medical providers
  • Appointment or procedure type
  • MyChart user communications, which may have included first and last names as well as medical record numbers
  • Insurance details
  • Proxy account information

The incident was reported by AAH to the U.S. Department of Health, which included it on its breach notification page after learning that 3 million people were affected.

All of AAH’s systems no longer have the Pixel tracker enabled, and new measures are being taken to prevent a repeat of this vulnerability. Patients should either use a tracker blocker or browse the web in incognito mode. Patients with a Google or Facebook account are strongly advised to check their security settings.

If you liked this article, follow us on LinkedInTwitterFacebookYoutube, and Instagram for more cybersecurity news and topics.

What Is Vulnerability Management?

What Is a Data Breach and How to Prevent It

Facebook Privacy & Security Guide: Everything You Need to Know [Updated]

Leave a Reply

Your email address will not be published. Required fields are marked *