Non-Profit Healthcare Provider Leaks The Data Of 3 Million Patients Via Malformed Tracking Pixel

I have to admit that this is a new way of leaking personally identifiable information that I never considered. Advocate Aurora Health is informing 3 million people that their protected health information was leaked to via a malformed tracking pixel to Facebook or Google:

In a data breach notification on its website, the healthcare system is informing patients that an incorrectly configured tracking pixel – placed on the MyChart and LiveWell websites and applications and on some scheduling widgets – exposed some of their information.

The pixel, the company says, “transmitted certain patient information to third-party analytics vendors that provided us with the pixel technology, particularly for users concurrently logged into their Facebook or Google accounts.”

Potentially exposed information includes IP addresses, information on scheduled appointments, patient proximity to an Advocate Aurora Health location, provider data, type of appointment or procedure, MyChart communications (including names and medical record numbers), insurance details, and the names of patient proxies.

Advocate Aurora Health says it has no evidence that Social Security numbers or financial account and credit/debit card details were exposed in the incident.

“We have disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors,” the healthcare provider says.

Advocate Aurora Health says it has found no evidence that the exposed data has been misused and also notes that the misconfiguration is unlikely to lead to identity theft or financial harm.

I’m skeptical that this screw up won’t cause identity theft or financial harm. Facebook and Google sole purposes in life is to harvest information and then find ways to make money from it. Thus I can see a scenario where someone could get access to this info and then use it to to make the lives miserable of the people who are affected by this. I guess that’s why this health care provider is offering up the advice of checking your credit report. Likely because while they don’t think anything bad has happened, they don’t know for sure.

I for one hope that there’s an external investigation into this, and punishment if warranted is handed out swiftly because companies simply need to do a much better job of protecting data like this.

Leave a Reply