Facebook tracking pixel causes data leak at US health care system, 3 million patients affected

Sicherheit (Pexels, allgemeine Nutzung)[German]A new case from a US healthcare platform showing how critical tracking pixels from social media platforms can be. Advocate Aurora Health, a large nonprofit operator of healthcare facilities in the Midwestern U.S., had to inform its patients that sensitive data may have been leaked through the use of meta-counting pixels in its own websites and online services.


Advocate Aurora Health (AAH) is an operator of 26 hospitals in Wisconsin and Illinois (USA). On AAH's website as well as in its online services, web developers had embedded so-called meta counting pixels. Meta pixel is a JavaScript tracker that allows website operators to analyze visitor interaction with websites.

The problem is that the tracker also sends sensitive data to Meta (Facebook). This data then runs on to a vast network of marketers, who then target users (in this case, patients) with targeted ads. The tracking pixels tell the network what data the patient has left with AAH.

Now Advocate Aurora Health (AAH) had to notify its patients of a data breach in this context. This meta-counting pixel exposed the personal information of 3,000,000 patients. The security incident was reported to the Department of Health and Human Services on Oct. 14. This is according to the agency's database of security breaches currently under investigation. The entry describes the security breach as an unauthorized disclosure of electronic medical records affecting 3 million individuals.

A notice from Advocate Aurora Health (AAH) to its patients describes this data breach incident in more detail. With regard to the patient data disclosed, their website states that the following information may have been leaked:

  • IP address
  • Date, time and location of scheduled appointments
  • Proximity to an AAH location
  • Medical provider information
  • Type of appointment or procedure
  • Communication between MyChart users, which may include first and last names and medical record numbers
  • Insurance information
  • Proxy account information

Bleeping Computer and The Record Media reported this case. In the U.S., such data breaches seem to occur regularly, as Bleeping Computer discloses in its article. In the meantime, lawsuits are already underway against the companies that have to report data privacy violations due to meta pixels.


Cookies helps to fund this blog: Cookie settings

This entry was posted in Security and tagged , . Bookmark the permalink.

Leave a Reply

Your email address will not be published. Required fields are marked *