Advocate data breach affects as many as 3 million

A data breach at hospital system giant Advocate Aurora Health may have exposed the information of as many as 3 million patients who use its online patient portals and other tools, the system said.

Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, said exposed patient data may include IP addresses; dates, times, and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; information about patients’ provider; types of appointment or procedures; and communications between patients and others on MyChart.

Advocate Aurora said in a statement on its website that it has launched an internal investigation, and does not believe Social Security numbers, financial accounts, credit card or debit card information were leaked.

The system said the breach is unlikely to lead to identity theft or financial harm, and it’s seen no evidence of misuse of information or fraud.

The health system cited pixel technology as the cause of the breach. The pixels in question are pieces of code that organizations can use to track how consumers use their websites and applications.

Advocate Aurora said in the statement that it learned that pixels and similar technologies installed on its patient portals, as well as on some of its scheduling widgets, sent patient information to the outside vendors who supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, Advocate Aurora said.

The hospital system has since disabled or removed the pixels, according to the statement. A spokeswoman was not able to immediately answer a question Thursday afternoon about when those pixels were removed or disabled.

“We take patient privacy very seriously, employ robust internal controls to protect patient data and are committed to compliance with all laws applicable to our operations,” Advocate Aurora said in a statement. “Like others in our industry, we have used internet tracking technologies to improve the consumer experience across our websites and encourage individuals to schedule necessary preventive care. We are thoroughly evaluating the information we collect and track.”

Other hospital systems have also been dealing with privacy issues related to pixel technology in recent months. One lawsuit filed in federal court in California against Meta alleges that hundreds of hospital and medical provider websites use the technology.

A Northwestern Memorial Hospital patient who lives in Skokie filed a lawsuit in federal court against Northwestern, Meta and Facebook in August, alleging the hospital, Meta and Facebook used, “Meta Pixel to unlawfully collect the private medical information of Northwestern Memorial Hospital’s patients and to use that data for their own profit,” according to the complaint. That lawsuit seeks class-action status.

Two Rush hospital system patients filed a similar lawsuit in federal court Sept. 30, alleging that Rush “discloses plaintiffs’ and class members’ personally identifiable patient data, including their status as patients and the contents of their communications with Rush, to third parties including Facebook, Google, and a digital advertising company.” That lawsuit also involves pixel technology.

Rush said in a statement: “RUSH is deeply committed to patient privacy and takes any involvement that data has been shared inappropriately with the utmost urgency. We are aware of and reviewing the lawsuit and intend to defend RUSH vigorously against the plaintiffs’ claims.”

A Northwestern spokesman said Thursday the system does not comment on pending litigation.

North Carolina system WakeMed Health & Hospitals notified patients on its website last week that some of their information may have been exposed through pixels, provided by Facebook.

Advocate Aurora reported its breach to the US Department of Health and Human Services Office for Civil Rights. Health systems must report breaches of protected health information involving 500 or more individuals to that office, which posts reports on a public website, nicknamed the Wall of Shame. The Office for Civil Rights investigates such breaches and can levy fines against health systems, depending on severity.

The Advocate Aurora breach is the largest health care data incident that’s been reported to the office this year.

Data breaches have plagued hospital systems across the country for years, as hospitals try to keep up with ever-changing technologies, evolving cyber criminal activity and competing demands for their dollars and time.

Patients with questions about the Advocate Aurora breach may call 866-884-3206 from Monday through Friday from 7 am to 7 pm, and Saturday from 9 am to 2 pm

lschencker@chicagotribune.com

Leave a Comment

Your email address will not be published.