A data breach in the Advocate Aurora Health hospital system may have exposed up to 3 million of Wisconsin and Illinois patients' personal health information to outside companies like Google and Facebook.
Advocate Aurora is the largest health care provider in the state, with 17 hospitals across Wisconsin. Health care organizations, hospitals and clinics are subject to the federal Health Insurance Portability and Accountability Act, or HIPAA, law, which protects people's personal health information.
The hospital system uses online tracking technologies like Google and Facebook and its "pixels" — or tiny bits of code or images — that collect data on users and the information they see on a page, which made its platform vulnerable to attack, according to its notice this week. Those pixels were on "patient portals" through its MyChart and LiveWell websites and applications, which track and send data on users to third-parties.
"These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident," the statement said. "Nevertheless, we always encourage patients to regularly review their financial accounts and report any suspicious, unrecognized or inaccurate activity immediately."
The information at risk includes patients' medical providers, IP addresses, dates and locations of scheduled appointments, among other sensitive materials. The health system alerted the Department of Health and Human Services on Friday, the Associated Press reported.
Advocate Aurora has disabled its use of pixels from its platforms. In its notice, the company said no Social Security or financial information was breached.
University of Wisconsin-Madison computer science professor Paul Barford, an expert in Internet security, was shocked a health care application would use pixels on its page.
"It's a real surprise that a commercial entity that is interacting with people related to their health, would think that this is something that's reasonable, and proceed with it," he said.
The organization said it's "not aware of any misuse of information arising from this incident," but urges patients to take precautions such as checking financial statements.
Sign up for daily news!
Stay informed with WPR's email newsletter.
Dorothea Salo, who teaches information security at UW-Madison, was unsurprised.
"This is not the first, it won't be the last, health system to realize it's doing this," she said. "The practice of assessing your web presence is incredibly common — practically ubiquitous. Web designers have to prove that websites are doing what they're intended to do."
Advocate Aurora is not the only hospital system to use Meta Pixel, according to a June report by The Markup.
For the big tech giants of the world, the pixels are a business opportunity for them to build up "huge dossiers on all of us," Salo said. Companies like Facebook receive data on users through the pixels.
Another challenge for hospitals is focusing their resources on building up security when patient care takes precedence.
"It is a genuine shame that (organizations) have to worry about Facebook and Google and black hat hackers. But the ultimate answer, I'm afraid, is actually tightening up their security and taking a really hard look at their analytics practices and where else that data is going," Salo said.
She recommends people block ad trackers by switching their browsers and opting for Firefox or Brave. The information exposed in this case depends on whether patients were logged into Facebook or Google, use or clear cookies and their browser, according to the Advocate Aurora notice.
Salo said there are plug-in systems like Privacy Badger that can help users protect their privacy.
Barford agreed that people should try using ad-blocking technology to identify and block pixels from webpages.