Meta Pixel Woes Mount: Novant Discloses Breach Involving Tracker; Three Suits Filed

By Jane Anderson

Winston-Salem, North Carolina-based integrated delivery system Novant Health is notifying more than 1.36 million patients that their protected health information (PHI) may have been disclosed by a tracking tool installed on hospitals’ websites that has been collecting PHI and sending it to Facebook.

Novant appears to be the first health care organization to report a breach due to Meta Pixel (Meta is the parent company of Facebook). Meta Pixel operates in the background, gathering details about medical conditions website visitors search for—prescriptions and doctor’s appointments—and then delivers that information to Facebook.[1] An investigation in June found Meta Pixel had been installed on one-third of top hospitals’ websites.[2]

David Harlow, chief compliance and privacy officer at Insulet Corporation, said Novant Health’s disclosure doesn’t mean that every health system using Meta Pixel also has suffered a breach. “Each Meta Pixel configuration is likely to be a little different, and each covered entity using the pixel will have to make its own determination on how best to proceed,” he told RPP.

Still, Novant would not be reporting a breach if it didn’t one occurred, Harlow said. “While I am not privy to Novant’s thinking, I would say that covered entities are generally not at all likely to notify patients and OCR [HSS Office for Civil Rights] of a breach unless it is really a breach, given the potential negative ramifications—reputational damage, individual and class-action lawsuits leveraging the disclosure, and so on.”

It’s unclear whether Novant’s decision will spur additional breach notifications from covered entities that have used Meta Pixel, Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor, told RPP.

“I think other health care systems are probably in a wait-and-see mode right now, to see what the fallout is for Novant Health,” Herold said. “It certainly can be viewed as a test case, as use of Meta Pixel and other similar types of third-party service providers becomes more prevalent.”

In addition, two more class-action lawsuits were filed against Meta and health care organizations involving their use of Meta Pixel, bringing the total number of class actions to three.

PHI May Have Gone to Facebook

Novant said it installed the pixel on its website in May 2020.[3] “As our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goal of improving access to care through virtual visits and provide increased accessibility to counter the limitations of in-person care,” the company said in its breach notification.

“This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook,” the breach notification said. “A pixel is a piece of code that organizations commonly used to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.”

Novant said it disabled and removed the pixel “immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta” and began an investigation to learn whether and to what extent information was transmitted.

“Based on that investigation, Novant Health determined on June 17, 2022, that it was possible sensitive information or PHI might have been disclosed to Meta, depending upon a user’s activity within the Novant Health website and MyChart portal,” the health system said.

Information that may have been shared inappropriately included: email addresses, phone numbers, computer internet provider addresses, contact information entered into emergency contacts or advanced care planning, data such as appointment type and date and the physician selected. The pixel also may have captured “button and menu selections and content typed into free text boxes.”

“The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user. The letter sent to each patient will specifically state whether such financial information may have been involved,” Novant Health said in its breach notification.

This document is only available to subscribers. Please log in or purchase access.
Purchase Login
 


Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field

First name field cannot be blank!
Last name field cannot be blank!
We will send you an email that will give you access to this entire article.
Email field cannot be blank!
Enter a valid email!
Company field cannot be blank!
Enter a valid company!
Title field cannot be blank!

We're committed to your privacy. The Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA) uses the information you provide us to contact you about our relevant content, products, and services. For more information, check out our Privacy Policy.


About SCCE

The Society of Corporate Compliance and Ethics (SCCE) is a non-profit, member-based professional association. SCCE supports our members' work with education, news, and discussion forums. We are a community of leaders, defining and shaping the corporate compliance environment across a wide range of industries and geographic regions. In developing and maintaining effective ethics and compliance programs, our members strengthen and protect their companies.

952.933.4977

About HCCA

The Health Care Compliance Association (HCCA), is a 501(c)6 non-profit, member-based professional association. HCCA was established in 1996 and is headquartered in Minneapolis, MN. We provide training, certification, and other resources to over 10,000 members. Our members include compliance officers and staff from a wide range of organizations, including hospitals, research facilities, clinics and technology service providers.

952.988.0141

Facebook Twitter LinkedIn
Copyright © 2024 by Society of Corporate Compliance and Ethics (SCCE) & Health Care Compliance Association (HCCA). No claim to original US Government works. All rights reserved. All information provided through this site, including without limitation all information such as the “look and feel” of the site, data files, graphics, text, photographs, drawings, logos, images, sounds, music, video or audio files on this site, is owned and/or licensed by SCCE & HCCA or its suppliers and is subject to United States and international copyright, trademark and other intellectual property laws. Any third party logos and/or content provided herein is owned by such third parties and is used by permission herein. Your use of this site to is subject to our Terms Of Use and Privacy Statement.
Cookie settings