Health system data breach due to Meta Pixel hits 3 million patients

Aurora Hospital

Advocate Aurora Health (AAH), a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients.

The incident was caused by the improper use of Meta Pixel on AAH’s websites, where patients log in and enter sensitive personal and medical information.

Meta Pixel is a JavaScript tracker that helps website operators understand how visitors interact with the site, helping them make targeted improvements.

However, the tracker also sends sensitive data to Meta (Facebook) and is then shared with a massive network of marketers who target patients with advertisements that match their conditions.

This privacy breach has taken the U.S. by storm, as Meta Pixel is used by many hospitals in the country, exposing millions of people to third parties and sparking class action lawsuits against the responsible organizations.

In August 2022, U.S. healthcare provider Novant Health disclosed its improper use of Meta Pixel in its implementation of the ‘MyChart’ portal, exposing 1.3 million patients.

The ‘MyChart’ patient portal is also used by AAH, along with another platform named ‘LiveWell,’ both of which had active Meta Pixel trackers.

“When patients used Advocate Aurora Health patient portals available through MyChart and LiveWell platforms, as well some of our scheduling widgets, certain protected health information (“PHI”) would be disclosed in certain circumstances, particularly for users concurrently logged into their Facebook or Google accounts.” – AAH.

AAH’s data breach notification says that the following information may have been exposed via Meta Pixel:

  • IP address
  • Dates, times, and locations of scheduled appointments
  • Proximity to an AAH location
  • Medical provider information
  • Type of appointment or procedure
  • Communications between MyChart users, which may have included first and last names and medical record numbers
  • Insurance information
  • Proxy account information

AAH reported that the breach affected 3 million people to the U.S. Department of Health, which listed it on its breach report portal.

The healthcare provider has disabled the Pixel tracker on all systems and is implementing safeguards to prevent a similar exposure from happening again.

Patients are advised to use their web browsers’ tracker-blocking features or use incognito mode when logging in on medical portals. Those with a Facebook or Google account should review their privacy settings.

AAH has also compiled a FAQ page to help patients find answers to common questions about the data breach.


  • CJatWork Photo CJatWork – 4 days ago

    Is it a “breach” if it is simply a poor configuration? Smells more like a HIPPA violation has been uncovered if you ask me. I’m no legal eagle but I’m pretty sure Facebook needs to know zero about my health care situation. ZERO. Is there a lawyer in the house?

  • h_b_s Photo h_b_s – 4 days ago

    No lawyer is going to give out legal advice for free. It has little to do with greed. Unguarded professional advice sets one up for a lawsuit, and no rando on the Internet is worth it.

  • CJatWork Photo CJatWork – 4 days ago

    I think you’ve misunderstood my post. Perhaps I should have put quotes around the last sentence and added in a winking smile emoji. It was simply a lighthearted spin on ‘Is there a Doctor in the house?’; loosely sticking with the theme of the article. Not looking for free advice on a class-action suit. I imagine there are all manner of tech enthusiasts that could also have a legal background and might opine on my other statements if they scrolled down here into the comments area and felt so inclined.

  • h_b_s Photo h_b_s – 3 days ago

    Snark aside, there’s no private right to action over HIPAA violations. These class action suits have to pursue other legal avenues to bring their cases. HIPAA only grants the federal government the right to pursue legal action against medical firms for patient confidentiality breaches. You basically have to hope that the DoJ will choose to use its limited resources to go after these hospitals. I doubt they’ll go after Meta directly because they probably weren’t actively complicit with the nincompoops that screwed up, much as I’d like to see Meta taken out and given a thorough switching.

  • Windows Repair (All In One) Logo

    Windows Repair (All In One)

    Version: 4.13.1 2M+ Downloads

  • Malwarebytes Anti-Malware Logo

    Malwarebytes Anti-Malware

    Version: 4.5.12 4M+ Downloads

  • Everything Desktop Search Logo

    Everything Desktop Search

    Version: 21,492 Downloads

  • Zemana AntiLogger Free Logo

    Zemana AntiLogger Free

    Version: 51,586 Downloads

  • Zemana AntiMalware Logo

    Zemana AntiMalware

    Version: NA 303,217 Downloads


Related posts

Russia’s Rostec allegedly can de-anonymize Telegram users

Sarah Henriquez

Robin Banks phishing service returns to steal banking accounts

Sarah Henriquez

Comcast Xfinity accounts hacked in widespread 2FA bypass attacks

Sarah Henriquez

Leave a Comment