Winston-Salem, North Carolina-based integrated delivery system Novant Health is notifying more than 1.36 million patients that their protected health information (PHI) may have been disclosed by a tracking tool installed on hospitals’ websites that has been collecting PHI and sending it to Facebook.
Novant appears to be the first health care organization to report a breach due to Meta Pixel (Meta is the parent company of Facebook). Meta Pixel operates in the background, gathering details about medical conditions website visitors search for—prescriptions and doctor’s appointments—and then delivers that information to Facebook.[1] An investigation in June found Meta Pixel had been installed on one-third of top hospitals’ websites.[2]
David Harlow, chief compliance and privacy officer at Insulet Corporation, said Novant Health’s disclosure doesn’t mean that every health system using Meta Pixel also has suffered a breach. “Each Meta Pixel configuration is likely to be a little different, and each covered entity using the pixel will have to make its own determination on how best to proceed,” he told RPP.
Still, Novant would not be reporting a breach if it didn’t one occurred, Harlow said. “While I am not privy to Novant’s thinking, I would say that covered entities are generally not at all likely to notify patients and OCR [HSS Office for Civil Rights] of a breach unless it is really a breach, given the potential negative ramifications—reputational damage, individual and class-action lawsuits leveraging the disclosure, and so on.”
It’s unclear whether Novant’s decision will spur additional breach notifications from covered entities that have used Meta Pixel, Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor, told RPP.
“I think other health care systems are probably in a wait-and-see mode right now, to see what the fallout is for Novant Health,” Herold said. “It certainly can be viewed as a test case, as use of Meta Pixel and other similar types of third-party service providers becomes more prevalent.”
In addition, two more class-action lawsuits were filed against Meta and health care organizations involving their use of Meta Pixel, bringing the total number of class actions to three.
PHI May Have Gone to Facebook
Novant said it installed the pixel on its website in May 2020.[3] “As our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goal of improving access to care through virtual visits and provide increased accessibility to counter the limitations of in-person care,” the company said in its breach notification.
“This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook,” the breach notification said. “A pixel is a piece of code that organizations commonly used to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”
Novant said it disabled and removed the pixel “immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta” and began an investigation to learn whether and to what extent information was transmitted.
“Based on that investigation, Novant Health determined on June 17, 2022, that it was possible sensitive information or PHI might have been disclosed to Meta, depending upon a user’s activity within the Novant Health website and MyChart portal,” the health system said.
Information that may have been shared inappropriately included: email addresses, phone numbers, computer internet provider addresses, contact information entered into emergency contacts or advanced care planning, data such as appointment type and date and the physician selected. The pixel also may have captured “button and menu selections and content typed into free text boxes.”
“The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user. The letter sent to each patient will specifically state whether such financial information may have been involved,” Novant Health said in its breach notification.