Novant Health has recently issued a notification reporting a data breach has occurred involving the PHI of over 1.36 million patients. The unauthorized disclosure of PHI occurred as the result of an incorrect configuration of Meta Pixel code.
The Meta Pixel is a component of JavaScript code that monitors website users and sends the data to Meta (Facebook) so that it may provide targeted advertisements. According to Meta, organizations using Meta Pixel are prohibited from submitting sensitive information. When Meta receives sensitive information, it filters it out to prevent it from being used to provide targeted advertisements. However, the filtering process is not working.
In the breach notification letters, Nova Health explained how, in order to improve access to care through virtual visits and to provide improved access to counter the limitations of in-person care, Novant Health launched a promotional campaign to communicate to more patients via the Novant Health MyChart patient portal. In order to track the efficiency of those Facebook advertising efforts, Novant Health’s website had installed a tracking pixel from Meta, but due to incorrect configuration, the pixel may have allowed some sensitive personal information to be sent to Meta from the Novant Health website and MyChart portal.
Novant Health promptly deactivated and deleted the offending pixel from the patient interface after discovering the possible privacy infringement. They also started an investigation to see how much data was being sent to Meta. The healthcare provider determined that information such as the email address, phone number, IP address, appointment type and data, physician chosen, IP address, contact information, menu selections, and any content typed by the user into free text boxes including Social Security number and financial information.
Despite detecting that data had been sent to Meta, Novant Health was unable to determine whether Meta had used the data for targeted advertisements or any other use. Novant Health has maintained that notification letters will include a list of what information of the patient had been shared to Meta. The healthcare provider will also provide credit monitoring to affected individuals free of charge.