Health care system says tracking pixel breach may have affected 3 million patients

Advocate Aurora Health, a major midwestern non-profit health care system, is informing patients that the use of tracking pixels in its web design and online services may have leaked sensitive information.

The security incident was submitted to the Department of Health and Human Services on October 14, according to the agency’s database of breaches currently under investigation. The entry describes the breach as an unauthorized disclosure of electronic medical records affecting 3 million individuals. 

The organization is just the latest in a series of medical providers to disclose that efforts to better understand patients' behaviors left data exposed.

Over the summer, an investigation from The Markup found 33 of the top 100 U.S. hospitals as ranked by Newsweek leaked scheduling information to social media giant Meta via tracking pixels. The pixels, which are invisible to users on a website, are commonly used to measure online traffic and visitor behavior, but can be particularly revealing if placed on websites that offer sensitive services, such as health care.  

Advocate Aurora Health operates 27 hospitals and more than 500 outpatient clinics, according to its website. In a Notice of Data Breach posted online Advocate Aurora Health explained that the breach tracking pixels from Google and Meta or other similar tools shared data, including some protected patient information, with third parties. 

“Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on AAH’s platforms, may have been affected,” a patient FAQ said. 

The data potentially compromised included patient IP addresses, insurance or medical record number, and information about appointments such as their time, provider, and procedure. Advocate Aurora Health said it believes “no social security number, financial account, credit card, or debit card information” were compromised. 

The organization wrote it has disabled such tracking tools on its services and has “launched an internal investigation to better understand what patient information was transmitted to our vendors.”

Advocate Aurora Health was previously among some 170 health care providers that had patient information compromised in a cybersecurity breach of radiation service provider Elektra in 2021. 

It’s not the only health care organization managing fallout from tracking pixels. 

WakeMed, which operates several hospitals around Raleigh, made a similar announcement last week — reporting that now-disabled tracking pixels from Meta may have compromised patient scheduling information from 2018 through this May.