U.S. healthcare provider Novant Health has disclosed a data breach impacting 1,362,296 individuals who have had their sensitive information mistakenly collected by the Meta Pixel ad tracking script.
Meta Pixel (formerly Facebook Pixel) is a JavaScript tracking script that Facebook advertisers can add to their site to track advertising performance.
The unauthorized patient data access and disclosure began in May 2020, when Novant ran promotional campaigns for COVID-19 vaccination, which involved Facebook advertisements.
To track these advertisements, the healthcare company added the Meta Pixel code to their site to measure how well the advertisements worked.
As explained in a statement published late last week, Meta pixel was misconfigured on Novant Health’s site and the ‘MyChart’ portal, transmitting privacy information to Meta and its advertising partners.
The information that may have been exposed through Meta Pixel includes the following:
Email address
Phone number
IP address
Emergency contact information
Appointment type and date
Selected physician
Portal menu selections
Any content typed into the “free text” boxes
The MyChart portal is used by 64 healthcare service providers in the U.S., allowing their patients to book appointments with doctors, request prescription refills, contact their providers, and more.
Unfortunately, this means that even those who haven’t used Novant’s services directly might still have been exposed due to the tracker’s misconfiguration.
Novant finally removed Meta pixel from its sites and portal in May 2022, when its I.T. teams realized the mistake, so the exposure lasted for two years.
“Immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta, Novant Health disabled and removed the pixel as a precaution and began an investigation to learn whether, and to what extent, information was transmitted, ” explains a disclosure on the Novant Health website.
The firm says it has determined the impacted individuals after a lengthy investigation that was concluded on June 17, 2022, so only those who received notices may consider themselves breached.
Novant says it has reached out to Meta several times to delete the healthcare data but did not receive a response.
“We reached out to Meta Facebook several times and through different channels, but never got a response,” Novan Health concludes in their advisory.
Bleeping Computer has contacted Facebook for a comment on the above, and we will update this piece as soon as we hear back.
Related litigation
Recently, a class action lawsuit against Meta and two medical centers in the United States was filed alleging that the tech giant and its partners were knowingly collecting private information without requesting the user’s consent through the Meta Pixel.
While the lawsuit listed two healthcare service providers in the defendants’ section, the outline involved many hospitals in the country following similar illegal tracking practices.
Considering the delay in discovering the misconfiguration, it’s possible that the investigation was launched in response to the news of the legal action.
Distributing notices of a breach doesn’t mitigate the consequences of the incident. However, it may help reduce the chances of facing legal action on similar grounds as those against UCSF Medical Center and the Dignity Health Medical Foundation.