Healthcare Provider Issues Warning After Tracking Pixels Leak Patient Data

  • US healthcare provider Novant Health has notified patients that their protected health information may have been leaked through a tracking tool linked to Facebook.

    The company made the announcement in a blog post last Friday, where it apologized for the concern this may have caused patients.

    The post does not specify how many patients were affected by the pixel tracking but mentions Novant has mailed 1.3 million notification letters.

    Data potentially leaked included demographic information such as email address, phone number, computer IP address and contact information entered into Emergency Contacts or Advanced Care Planning.

    Also, information such as appointment type and date, physician selected, button/menu selections and/or content typed into free text boxes.

    Novant added that the information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user.

    “The letter sent to each patient impacted will specifically state whether such financial information may have been involved,” Novant explained.

    According to the company, the leak would have taken place following an incorrect configuration of an online tracking tool from the Facebook parent company Meta.

    “In May 2020 […] Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care,” the company wrote.

    The campaign involved Facebook advertisements and a Meta tracking pixel placed on the Novant Health website to help understand the success of advertisement efforts on Facebook.

    “However, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal,” reads the post.

    Once made aware of the potential issue, Novant said it immediately disabled and removed the pixel from their site.

    “We also have implemented more structure, governance and policies around the use of pixels and promise that we will take appropriate actions to ensure that this does not happen again,” the company added.

    The leak comes weeks after US-based debt collector Professional Finance Company (PFC) reported a data breach affecting 1.9 million individuals across over 650 different healthcare providers.