A patient affected by a data breach at Advocate Aurora Health has sued the healthcare system in a class-action lawsuit, claiming his private information was shared with Facebook, in a breach that could have affected three million patients.
The patient alleged that the patient portal he used to communicate with his doctors at Advocate Aurora and to schedule appointments used a pixelated code that also enabled logging in via Facebook and then shared data with Facebook.
“Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization,” Alistair Stewart said in his complaint filed in Northern Illinois District Court last week.
The case comes shortly after Advocate Aurora, based in Wisconsin and Illinois, issued a statement on October 21 on its website stating that a data breach had occurred. To remedy the breach, the hospital system had disabled the “pixel system” that tracked patient information and shared it with websites such as Facebook. The healthcare system also said it launched an internal investigation to understand what patient information was leaked.
In his complaint requesting class-action status for all of those affected by the breach, Stewart alleged that the healthcare system and Facebook were aware that personal information was not protected, violating HIPAA. Stewart claimed that the way the “pixel” technology works, allowing third-party vendors to track patient browsing trends, shows that lack of data security Advocate Aurora had for its patients.
“At all relevant times, Advocate and Facebook knew that the Meta Pixel intercepted and disclosed personally identifiable patient information and PHI,” Stewart said in the complaint. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration,” Stewart said.
The data breach could have affected 3 million patients, according to the Health and Human Services’ list of cases under investigation.
In the news release Advocate issued October 21, the healthcare system said that a variety of sensitive patient information had been compromised. That included the type of appointment or procedure a patient had, communications between patients and physicians that took place on MyChart, medical record numbers, information about a patient’s insurance status, and more.
The HHS list of ongoing investigations of healthcare data breaches shows how widespread the problem is, with new data breaches being reported nearly every day, and in a number of states. Although Advocate’s data breach was by far the largest in terms of the number of patients affected in the past month, several other data breaches in the past few weeks impacted hundreds of thousands of people each.
For example, in North Carolina, a data breach occurred at WakeMed Health and Hospitals affecting nearly 500,000 people, and reported the same day as Advocate’s data breach. At Keystone Health in Pennsylvania, more than 235,000 people were affected by a data breach also occurring in the past month.
Advocate Aurora Health and Meta did not immediately reply to requests for comment.
Photo: JuSun, Getty Images
