Three million patients' personal information was compromised in a data breach at the Wisconsin and Illinois healthcare network Advocate Aurora Health (AAH), which operates 26 hospitals.

On the AAH websites, where users login and provide private personal and medical data, Meta Pixel was misused, which led to the problem.

As a JavaScript tracker, Meta Pixel provides deeper insight into user behavior that may be leveraged to improve the overall user experience.

However, the tracker also communicates private information to Meta (Facebook), where it is sent to a vast marketing network that uses the information to show patients' condition-specific adverts.

As millions of individuals were exposed to third parties and class action lawsuits were filed against the relevant institutions, this privacy breach has wreaked havoc in the United States because of widespread usage of Meta Pixel by hospitals.

In August 2022, the U.S. healthcare company Novant Health announced its inappropriate usage of Meta Pixel in its deployment of the 'MyChart' interface, putting 1.3 million patients at risk.

AAH utilizes both the 'MyChart' patient interface and the 'LiveWell' platform, both of which have active Meta Pixel trackers.

"When patients used Advocate Aurora Health patient portals available through the MyChart and LiveWell platforms, as well as some of our scheduling widgets, protected health information ("PHI") was disclosed in certain circumstances, particularly for users concurrently logged into Facebook or Google accounts." - AAH.

According to the AAH data breach, the following information may have been disclosed through Meta Pixel:

• IP address
• Scheduled appointment dates, times, and places
• Healthcare provider data
• Type of treatment or consultation
• Communications between MyChart users may have included first and last names and medical record numbers.
• Information about insurance
• Information about proxy account

AAH reported the data breach affecting 3 million individuals to the U.S. Department of Health, which included the incident on its site for breach report submissions.

The healthcare organization has deactivated Pixel trackers on all systems and is adopting procedures to avoid a similar breach from occurring in the future.

Patients are instructed to utilize the tracker-blocking capabilities of their web browsers or the incognito mode when signing in to medical sites. Review your Facebook and Google privacy settings.

AAH has also established a Frequently Asked Questions (FAQ) website to assist patients in finding answers to frequently asked questions about the data breach.