Advocate Aurora Health is notifying patients that their information was shared with third-party vendors via Facebook's Pixel tracking tool. (Photo by Justin Sullivan/Getty Images)

Advocate Aurora Health is informing patients that their protected health information was shared with third-party vendors, like Google and Facebook, as a result of using the Pixel tracking tool on its MyChart and LiveWell patient portal websites and applications and some scheduling tools. 

With 3 million affected patients, the privacy incident is among the top three largest reported healthcare data breaches this year.

This is the second major disclosure involving the Pixel tool. Following several reports and lawsuits that accused Facebook of scraping health data from hospital websites, Novant Health notified 1.3 million patients that it had inadvertently disclosed patient data by using the Pixel tool.

The Markup was the first to detail the website scraping by Facebook’s Pixel tool, which found the tool installed on 33 healthcare websites. This is the first patient notice to include Google’s pixel as performing the data sharing practice.

According to its notice, Advocate Aurora Health previously used internet tracking technologies, like “Google and Meta to understand how patients and others interact with our websites.” These services were used for measuring and evaluating trends and preferences of patients using the provider websites.

“These technologies disclose certain details about interactions with our websites, particularly for users that are concurrently logged into their Google or Facebook accounts and have shared their identity and other surfing habits with these companies,” officials explained.

However, the provider learned that these pixels or similar technologies installed on its websites actually disclosed certain protected health information in “particular circumstances to specific vendors,” due to the use of those technologies.

Upon discovering this unauthorized disclosure, Advocate Aurora disabled and/or removed pixels from its platforms and performed an internal investigation to understand just what patient data was transmitted to vendors.

The data could include patients’ IP addresses, appointment dates, times, and/or locations, proximity to Advocate Aurora Health locations, provider details, appointment or procedure types, communications between the patient and others on the MyChart platform like names and medical record numbers, insurance information, and proxy names.

The investigation confirmed no Social Security numbers or any financial information was involved.

Erring on the side of caution, the provider is assuming all patients with a patient portal account on the affected platforms or who’ve used their scheduling widgets have been affected. The impact will vary by the user’s choice of browser, the configuration, blocking, clearing, or use of cookies, if the user has a Facebook or Google account and were logged in, and specific user actions.

Advocate Aurora is continuing to determine how to further reduce the risk of unauthorized disclosures of patient data, as it monitors its security systems to evaluate possible enhancements. Any proposed use of tracking technologies will be evaluated under its newly updated technology vetting process.

Patients are being encouraged to block or delete cookies from their browsers and to use browsers with supportive privacy measures, like incognito mode. Facebook and Google privacy settings can also be adjusted.

This is the second vendor-related incident reported by Advocate Aurora in the last two years. Its data was included in the ransomware-related incident reported by Elekta, a radiation therapy, radiosurgery, and clinical management services vendor.

Data of 235K Keystone Health patients accessed in monthlong hack

Pennsylvania-based Keystone Health recently notified 235,237 patients that their data was accessed for nearly a month during an undetected systems hack in August.

First discovered on Aug. 19, a cyber incident “temporarily disrupted” its computer systems. Officials said they reported the incident with law enforcement and launched an investigation with support from an outside cybersecurity firm. The forensics showed a threat actor first accessed the network on July 28, until Aug. 19 when the intrusion was detected.

During the dwell time, the actor accessed Keystone Health files, including patient data like names, Social Security numbers, and clinical information. The notice does not provide further details into the impacted data, or the type of threat behind the cyber incident.

In response, Keystone is implementing additional network security measures and providing employees with additional training.

70K Valle del Sol patients just now informed of January data theft

Current and former patients of Valle del Sol in Arizona are just now being notified of a systems hack that resulted in the access and theft of their protected health information as far back as Jan. 25.

“Unusual activity” was discovered 10 months ago, which prompted Valle del Sol to take steps to secure the network and minimize the impact of the incident. The investigation confirmed the exfiltration of some protected health information.

The notice suggests the delayed notification was brought on by a “comprehensive review” to identify the patients and impacted data that concluded on July 18. However, notices weren’t sent until nearly three months later.

As reported repeatedly, the Health Insurance Portability and Accountability Act requires entities impacted by PHI breaches to report within 60 days of discovery, not at the close of an investigation. Other providers facing similar challenges with identifying contact have instead posted a public notice for those individuals. Prompt notification enables patients to proactively monitor their credit and reduce fraud risk.

The stolen data could include names, SSNs, dates of birth, driver’s license numbers, clinical or diagnosis data, medical record numbers, Medicare or Medicaid numbers, and health insurance member ID numbers.

Cardiac Imaging Associates reports PHI exposed in April email hack

Cardiac Imaging Associates recently informed an undisclosed number of patients that their data was compromised during the hack of an internal email account in April. CIA provides medical imaging services for a range of providers.

The lengthy delay is attributed to CIA only recently concluding its investigation into the incident, which included a “time-intensive review of the contents of the email accounts.” The review concluded in August, and CIA waited another 60 days before sending patient notices.

After detecting suspicious activity within the impacted account, CIA secured the system and launched an investigation. The forensics showed a threat actor had access to the email account for about a week before it was discovered, between March 30 and April 6. The investigation could not confirm whether or not the actor viewed the emails or attachments.

The compromised account contained data that varied by patient and could include names, SSNs, dates of birth, driver's license numbers, financial account details, payment cards, diagnoses, conditions, lab results, medications, and treatment information.

CIA has since enhanced systems security, as it works to review its existing policies and implements internal training protocols to better prevent a recurrence.

Legacy server hack spurs notice for 12K Riverside Medical patients

A little over 12,000 patients tied to the Riverside Medical Group in New Jersey were recently notified that their data was compromised after the hack of a legacy server at its West Orange clinic.

The security issue was discovered on Aug. 3 on an independent, legacy server used by a provider to maintain patient immunization records. A detailed forensics examination discovered patient health and personal data was stored on the server, which was potentially accessed or acquired by the threat actor before it was locked down.

The compromised data could include names, dates of birth, contact details, gender, immunization records and dates of immunizations, provider information, and health plan details, including the ID number. No SSNs, driver’s licenses, or financial account details were stored on the server.

The server in question has since been locked down and disabled. No other RMG systems or servers were affected. RMG is currently reinforcing existing policies and reevaluating possible safeguards to prevent a similar incident.