More than 1.3 million users have received notices from healthcare provider Novant Health that their private health data (PHI) had unintentionally been leaked to Facebook parent firm Meta.
Facebook marketers can add JavaScript a monitoring script known as Meta Pixel to their website to monitor the effectiveness of their advertising. Unauthorized patient records access and disclosure started in May 2020, when Novant launched Facebook ad-based marketing campaigns to promote the COVID-19 vaccine.
The company said that Novant Health was employing a misaligned pixel on both its website as well as the Novant Health MyChart patient interface and the pixel carried code that allowed businesses to track website activity.
The healthcare company placed the Meta Pixel code on its website to track these advertisements and evaluate their effectiveness.
After a reporter contacted and questioned about the use of MetaPixel, the pixel was introduced to the portals in May 2020 and disabled in May 2022, after Novant Health learned of the potential data exposure.
Depending on a user's activity on the Novant Health website and MyChart interface, it was possible PHI would have been shared to Meta, Novant Health decided in June 2022.
Email addresses, phone numbers, computer IP addresses, contact information patients entered into Advanced Care Planning or Emergency Contacts, appointment information, the doctor they chose, and data like button/menu selections and or content typed into free text boxes were all potentially impacted information.
64 healthcare service providers in the United States use the MyChart portal, which enables their users to schedule medical appointments, ask for prescription refills, get in touch with their clinicians, and more.
Unfortunately, this means that due to the tracker's improper setting, even people who haven't actually used Novant's services may nonetheless have been exposed.
"Advertisers shouldn't send private data about individuals through our business tools. This is against our policies, and to avoid it from happening, we instruct advertising on how to set up business tools correctly. Our technology is built to weed out any potentially sensitive information it can find. We'll keep trying to get in touch with Novant," a Meta spokeswoman stated.
Only those who received notices may consider themselves victims of a breach, according to the company, which claims it has identified the affected persons following a thorough investigation that was finished on June 17, 2022. Novant claimed that it's not aware of any "improper or attempted use" of the information by Meta or any other third party.
