Advocate Aurora Health Breach – Meta Pixel in the Spotlight

We all know how Facebook works as it gathers users’ information to help marketers target them with advertisements based on their interests. This practice came back to haunt them with the famous Facebook breach. Unfortunately, “Meta” is back in the spotlight as it’s responsible for yet another breach in the Advocate Aurora Health (AAH) systems.

AAH is a 26-hospital healthcare system in Wisconsin and Illinois that has millions of customers across the country. And thanks to its use of Meta Pixel, it’s now notifying patients of a data breach that exposed the personal data of 3,000,000 of them.

Yes, that’s a huge number when it comes to data being out in the open. What entities can benefit from such a breach? What data was exposed? Here’s everything we know.

The AAH Breach – Meta Does it Again

Data breaches are happening everywhere, especially with companies that have millions of customers. While some of them are the result of cybercriminals’ practices, others come due to the improper use of some services. In this case, Meta Pixel.

Meta Pixel is a snippet of JavaScript code that allows website hosts to track their visitors’ activity. When used by companies such as Advocate Aurora Health, it’s mainly to help it make targeted improvements.

Users have to submit their personal information to log in, which is the main source of the problem. Meta Pixel sends this sensitive data to Meta (Facebook).

And apparently, the social media platform shares it with marketers so that they can target AAH’s patients with ads that cater to their conditions. This caused a riot in the US as Meta Pixel is now exposing millions of people to third parties.

AAH disclosed the breach via a statement, which states that the following information may have been exposed via Meta Pixel:

• IP address
• Dates, times, and locations of scheduled appointments
• Proximity to an AAH location
• Medical provider information
• Type of appointment or procedure
• Communications between MyChart users, which may have included first and last names and medical record numbers
• Insurance information
• Proxy account information

Unfortunately, this is not the first time such an incident has occurred. In fact, two months ago, U.S. healthcare provider Novant Health also disclosed a similar breach of 1.3 patients’ records while improperly using Meta Pixel in the MyChart Portal.

AAH also uses the ‘MyChart’ patient portal alongside LiveWell, both of which operate with the Meta Pixel trackers. Here’s what AAH had to say:

“When patients used Advocate Aurora Health patient portals available through MyChart and LiveWell platforms, as well some of our scheduling widgets, certain protected health information (“PHI”) would be disclosed in certain circumstances, particularly for users concurrently logged into their Facebook or Google accounts.”

Advocate Aurora Health has disabled the Pixel tracker on all systems. Based on its statement, it has implemented the necessary procedures to prevent any similar exposure from happening again.

A Breach in the Health Department – Meta in the Spotlight Once More

The company is advising its patients to use incognito mode. If you’re affected, we recommend you update your privacy settings on Facebook and Google.

Online tracking can be very intrusive and frustrating. To avoid it, you can always block/delete cookies or use web browsers that provide enhanced privacy features.