Advocate Aurora Health discloses data breach, 3 million could be affected

The system says there’s no evidence of fraud or misuse of information. The breach stems from an online tool meant to track patient trends, and other health systems have reported similar incidents.

The Advocate Aurora Health system says the system has suffered a breach affecting patient information.

Advocate Aurora, one of America’s largest non-profit health systems, said in a statement that some information has been transmitted to other companies due to tracking technologies from Facebook and Google. These online tools, called pixels, track patient trends and preferences on Advocate Aurora's websites. Many hospitals, and many businesses, use pixels on their websites.

Pixels and other technologies on patient portals, available through MyChart and LiveWell websites, and some scheduling widgets, transmitted some patient information, Advocate Aurora said.

As many as 3 million people could be affected, according to the U.S. Department of Health and Human Services Office of Civil Rights. Organizations are required by federal law to notify the health department about breaches of health data that affect 500 people or more.

To date, the Advocate Aurora incident has affected more people than any other breach reported this year to the HHS Office of Civil Rights. Other health systems have recently reported similar breaches involving tracking tools sending data to Facebook.

At this point, Advocate Aurora said its investigation indicates no Social Security numbers, financial account, credit card, or debit card information was involved in the breach.

Advocate Aurora, which serves patients in Illinois and Wisconsin, said it has disabled the pixel technology. The health system said out of caution, it is assuming that all users of Advocate Aurora MyChart accounts, the LiveWell application, and anyone who used the health system’s scheduling widgets, may have been affected.

The system said it hasn’t found any evidence of fraud stemming from the incident, and said the pixels would be very unlikely to result in identity theft or any financial harm. Patients and customers are advised to monitor their financial accounts for any signs of unusual activity.

Advocate Aurora said the following patient information could have been exposed: IP addresses; dates, times, and/or locations of scheduled appointments; type of appointment or procedure; communications with others through MyChart, which may have included first and last name and medical record numbers; information about whether patients have insurance; patients’ proximity to an Advocate Aurora Health location; and, for those with a proxy MyChart account, your first name and the first name of your proxy.

Other hospitals have been using tracking technology on their websites have inadvertantly sent patient information to Facebook.

An analysis found that 33 of Newsweek’s top 100 hospitals were using the Meta Pixel and sending sensitive data to Facebook, according to an investigation by The Markup, a nonprofit news organization. Following that report, nearly all of those hospitals stopped using the pixel or blocked transfers of patient information to Facebook, The Markup reported.

Meta, Facebook’s parent company, faced questions about the collection of patient data in a Senate committee hearing last month. U.S. Sen. Jon Ossoff, D-Ga., asked Meta in a Sept. 14 hearing if the company is collecting healthcare or medical data from its users.

Meta has faced a growing number of questions about collecting health information. A complaint filed in California alleges that more than 600 hospital systems and medical provider websites have sent data to Facebook via its tracking tool, Bloomberg Law reported in August. Meta has said the pixel isn't designed to send private health information to the social media giant.

Advocate Aurora said it will continue to examine ways to reduce the risk of unintentional disclosures of patient information. The system said it will use a more robust vetting process before deploying any tracking information on its websites in the future.

Patients are advised they can obtain a free annual credit report by visiting www.annualcreditreport.com, or calling toll-free 877-322-8228.

Advocate Aurora operates 27 hospitals and more than 500 sites of care in Illinois and Wisconsin. Atrium Health and Advocate Aurora said this year they are planning to merge and create a system with $27 billion in annual revenue. Regulators must sign off on the deal, but if the merger is approved, healthcare industry analysts have said it could spur other hospital deals.

Healthcare systems around the country have dealt with breaches of patient information. Millions of Americans have been affected by healthcare breaches this year.

Novant Health notified some of its patients and customers about the potential disclosure of patient health information to Meta due to what it termed as incorrect configuration of a pixel. More than 1.3 million people were affected, according to HHS.

WakeMed in North Carolina said last week that it had inadvertently transmitted information to Facebook with its pixel between March 2018 and May 2022. WakeMed sent letters to nearly 500,000 people about the issue, the News & Observer reported. WakeMed said it has disabled the tracking tool.

Many hospitals have been affected by breaches that have occurred as a result of cyberattacks.

CommonSpirit Health is continuing to deal with a ransomware attack that has affected its systems and caused some patients to reschedule appointments.