Health System’s Use of Internet Tracking Tool Transmitted Sensitive Patient Information to Facebook
Advocate Aurora Health, an integrated nonprofit healthcare system, alerted its 3 million patient base and the Department of Health and Human Services that pieces of code known as “pixels,” an internet tracking tool, or similar technologies installed on its patient portals, transmitted certain patient information to Meta Platforms, Inc. (formerly known as Facebook), the provider of pixel technology. Aurora explained that sensitive information such as the names of patients and providers, IP addresses, and dates and locations of scheduled appointments were among the information which was transmitted to Meta. Aurora has disabled and/ or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted.
Although Aurora representatives have stated that the pixels were unlikely to result in identity theft or financial harm to patients, a class action suit was filed against Meta and Aurora on October 28, 2022 in U.S. District Court in Chicago alleging violations of the Electronic Communications Privacy Act, the Stored Communications Act, and the Health Insurance Portability and Accountability Act of 1996 by “knowingly and repeatedly intercepting, accessing and disclosing” personal and sensitive health information.
A report from The Markup, a nonprofit news site, found that out of 100 hospitals, roughly one-third utilized Meta’s pixel technology on their websites and inside password-protected patient portals to track visitor activity on the website.