Novant Health Patients PHI Exposed via Meta Pixel Code on Patient Portal

Novant Health has just informed patients regarding a breach of their protected health information (PHI) because of the wrong settings of Meta Pixel code on its patient website.

Code Snippet Transmitting Sensitive Patient Information to Meta

At the beginning of this year, The Markup conducted an investigation about the usage of Meta Pixel code on websites of healthcare providers. The investigation revealed that 33 of the 100 top-rated hospitals in America had employed Meta Pixel code on their web pages. Moreover, 7 hospitals used the code on their patients’ password-protected webpages. The 7 hospitals were FastMed, Community Health Network, Edward-Elmhurst Health, Novant Health, Renown Health, WakeMed, and Piedmont.

Meta Pixel is a piece of JavaScript code that is employed to monitor site visitors, and the information collected is transmitted to Meta (Facebook), which can be employed to deliver targeted adverts. Meta says that companies that utilize Meta Pixel aren’t meant to transmit sensitive information. In case Meta finds out it has been provided sensitive information in error, it is blocked out to avoid using the information to deliver targeted adverts. That procedure doesn’t seem to be working well. Although that data is blocked out, it is still being transmitted to Meta.

After the report was published, several lawsuits had been filed on behalf of those whose personal data and PHI were shared with Meta through the Meta Pixel code on healthcare company portals. The lawsuits assert a breach of federal and state privacy regulations since the data was transmitted with no express permission from the patients.

A patient of MedStar Health System based in Baltimore filed a class action lawsuit, which alleges that Meta Pixel was employed on the sites of about 664 healthcare companies, permitting patient information to be transmitted to Meta violating the Health Insurance Portability and Accountability Act (HIPAA). Another lawsuit versus Meta and Dignity Health and the University of California San Francisco was filed with the main plaintiff alleging to have been gotten targeted advertisements after the sharing of sensitive data with regards to a health matter on the patient website. Of late, an identical lawsuit was filed versus Meta and Northwestern Memorial Hospital based in Chicago, IL.

Novant Health Informs Patients Concerning Meta Pixel Data Breach

Novant Health lately informed a still unknown number of patients about the disclosure of some of their protected health information (PHI) to Meta. It is the first healthcare company to send breach notification letters to patients related to using the Meta Pixel code.

Novant Health said in its breach notification letters that an improper configuration of [Meta] Pixel resulted in the transfer of PHI to Meta. It also mentioned it wished to be transparent about the data breach and why it used the pixel code on its site.

Because of the COVID-19 pandemic, Novant Health had a promotional campaign to connect more patients to its Novant Health MyChart patient website. The goals are to improve access to care via virtual consultations and to offer more access in response to the limits of in-person care. The campaign used Facebook ads and added a Meta tracking pixel on its website to determine the success of those advertisements. However, the pixel was set up erroneously and might have permitted a number of private data to be sent to Meta from its website and MyChart portal.

When informed concerning the likely privacy breach, Novant Health promptly deactivated and took away the pixel from the patient website and started an investigation to find out the magnitude to which data was being sent to Meta. On June 17, 2022, Novant Health confirmed that PHI might have been unintentionally transmitted according to the type of user actions on the patient website. The data sent would have differed from individual to individual, and might have contained a person’s email address, telephone number, IP address, button/menu selections, contact details inputted into Advanced Care Planning or Emergency Contacts, type and date of appointment, doctor chosen, and/or content entered into text boxes.

Novant Health explained it did not find any proof that Meta or any third party has used the data transferred. In case a person entered financial details or a Social Security number, that data might also have been transmitted to Meta. Novant Health stated the notification letters sent to individuals would mention when such data was disclosed, and in that case, free credit monitoring services will be given to impacted persons.