Approximately 1.3 million patients tied to Novant Health are being informed their data was likely disclosed to Facebook’s parent company Meta due to a misconfiguration of the Pixel tool on its website. The North Carolina-based nonprofit consists of 15 medical centers and over 800 provider and specialist care sites.
The breach notice comes on the heels of multiple reports and patient-led lawsuits accusing Facebook of scraping healthcare data from hospital websites. The initial investigation by The Markup website found the social media giant’s Pixel tool was installed on 33 healthcare websites.
While not it’s not clear from the notification whether these reports prompted the discovery, Novant Health disclosed the use of Pixel and the likely compromise “in an effort to be as transparent as possible.”
The health system deployed a promotional campaign in May 2020 in response to the COVID-19 pandemic to encourage more patients to leverage its Novant Health MyChart patient portal and increase participation with virtual care visits. The effort included Facebook advertisements and the Pixel tool installed on its website to track the success of the social media campaign.
However, “in this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal,” according to the notice.
Upon discovering the “unintended” disclosure of patient data to Meta, the Pixel tracking tool was disabled and removed “as a precaution.” The subsequent investigation concluded on June 17 and confirmed the possibility of improper data sharing, depending on users’ activity on the Novant website and patient portal.
The data shared with Meta could include patients’ demographic details, contact information, emergency contacts or advanced care planning, appointment type and date, chosen provider, button or menu selections, “and/or content typed into free text boxes.” No Social Security numbers or other financial information were involved, unless typed into a free text box.
The disclosed data varied by patient and the personalized patient notices inform the individual whether any financial data could have been compromised.
The details bear hallmarks to the claims made against Facebook in a mid-June lawsuit: Pixel redirects patient data from “supposedly ‘secure’ patient portals,” which results in the “wrongful, contemporaneous, redirection to Facebook of patient communications.”
The lawsuit also claims that patient communications within the providers’ websites with the pixel tool installed its “source code causes the exact content of the patient’s communication with their healthcare provider to be redirected to Facebook in a fashion that identifies them as a patient.”
However, the notice shows Novant Health has not found any improper or attempted use of patient data by Meta or another third party. Facebook’s Terms and Conditions not their “policies and filters block sensitive personal data and do not incorporate that information into their Ad Manager.”
Erring on the side of caution, Novant Health is sending letters to all patients who may have been impacted by the pixel misconfiguration, some of whom are patients of independent providers and care sites using its MyChart medical record. The health system is also “taking actions to ensure this does not happen again and has governance policies in place for pixel use.