Printer Friendly, PDF & Email

Meta Pixel Woes Mount: Novant Discloses Breach Involving Tracker; Three Suits Filed

Winston-Salem, North Carolina-based integrated delivery system Novant Health is notifying more than 1.36 million patients that their protected health information (PHI) may have been disclosed by a tracking tool installed on hospitals’ websites that has been collecting PHI and sending it to Facebook.

Novant appears to be the first health care organization to report a breach due to Meta Pixel (Meta is the parent company of Facebook). Meta Pixel operates in the background, gathering details about medical conditions website visitors search for—prescriptions and doctor’s appointments—and then delivers that information to Facebook.[1] An investigation in June found Meta Pixel had been installed on one-third of top hospitals’ websites.[2]

David Harlow, chief compliance and privacy officer at Insulet Corporation, said Novant Health’s disclosure doesn’t mean that every health system using Meta Pixel also has suffered a breach. “Each Meta Pixel configuration is likely to be a little different, and each covered entity using the pixel will have to make its own determination on how best to proceed,” he told RPP.

Still, Novant would not be reporting a breach if it didn’t one occurred, Harlow said. “While I am not privy to Novant’s thinking, I would say that covered entities are generally not at all likely to notify patients and OCR [HSS Office for Civil Rights] of a breach unless it is really a breach, given the potential negative ramifications—reputational damage, individual and class-action lawsuits leveraging the disclosure, and so on.”

It’s unclear whether Novant’s decision will spur additional breach notifications from covered entities that have used Meta Pixel, Rebecca Herold, president of SIMBUS360 and CEO of The Privacy Professor, told RPP.

“I think other health care systems are probably in a wait-and-see mode right now, to see what the fallout is for Novant Health,” Herold said. “It certainly can be viewed as a test case, as use of Meta Pixel and other similar types of third-party service providers becomes more prevalent.”

In addition, two more class-action lawsuits were filed against Meta and health care organizations involving their use of Meta Pixel, bringing the total number of class actions to three.

This document is only available to subscribers. Please log in or purchase access.

Would you like to read this entire article?

If you already subscribe to this publication, just log in. If not, let us send you an email with a link that will allow you to read the entire article for free. Just complete the following form.

* required field