Chicago health care provider shared 3 million patients’ sensitive data with Meta & Google

This week, one of Chicago’s largest health care providers, Advocate Aurora, announced it had inadvertently transmitted the sensitive information of 3 million patients to Meta, Google, and possibly other third-party companies. 

The culprit of the breach was “pixels” – little pieces of code often installed in the background of websites that track visitors’ behavior, similar to web cookies. Advocate Aurora embedded them in its patient portal in an effort to understand how users interacted with the site and how the tool could be better designed to meet patients’ needs. What it didn’t realize, however, is the amount of data transmitted to the companies behind these pixels.

According to Advocate Aurora, data that may have been sent to outside companies includes: patient name and medical record number, dates and times of scheduled appointments, type of appointment or procedure, whether a patient had health insurance, IP address of a patient’s device, and patient proximity to one of the health care provider’s locations. 

Advocate Aurora is far from the only health care provider to use pixels on its web pages and portals. Class action lawsuits over the use of Meta’s pixel trackers have been lodged against the UCSF Medical Center in San Francisco, the MedStar Health System in Baltimore, and another Chicago provider, Northwestern Memorial. 

What’s clear is that we need better data protections for patients using the web to look up medical info or interact with their providers online. Our health privacy laws, like HIPPA, fail to protect patients in the internet age. In addition to updated laws, health care providers need to put policies in place to ensure their patients’ information is protected.