25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

Advocate Aurora Health: Website Tracking Code May Have Impermissibly Disclosed PHI of 3 Million Patients

Posted By on Oct 20, 2022

Another health system has announced that patient data has been impermissibly passed to Meta (Facebook) as a result of the inclusion of Meta Pixel tracking code on its website. First came Novant Health, with its admission that the protected health information of 1.36 million patients had been sent to Meta. Then WakeMed Health and Hospitals said the information of around 500,000 patients may have been impermissibly disclosed. Now, Advocate Aurora Health has confirmed that it too included the tracking code, which resulted in the impermissible disclosure of the protected health information of up to 3,000,000 patients. These two healthcare systems are far from the only ones affected by the use of Meta Pixel and other third-party tracking code on their websites.

An analysis, published by The Markup/STAT in June suggested one-third of the top 100 hospitals in the United States had included the code on their websites, including at least 6 that had incorporated the code within their password-protected patient portals. Following the discovery, patients affected by the breach took legal action against their healthcare providers and Meta over the impermissible disclosure. In some cases, their personal and private information was used to serve them target advertisements related to their medical conditions, as a result of their interactions on the websites of their healthcare providers. Lawsuits have been filed against Meta and Medstar Health System in Maryland, and Meta and UCSF Medical Center/ Dignity Health Medical Foundation.

Meta Pixel is a snippet of JavaScript code that website owners can add to their websites and web applications for the purpose of tracking visitor activity. In the case of healthcare providers, the code can be used for tracking the performance of advertising campaigns, as was the case with Novant Health, or identifying trends and preferences of patients. However, some of the data collected involved choices made via drop-down selection in web forms, which may have included information about medical conditions, and that information may have included personal identifiers.

The data collected through the Meta Pixel code snippet is sent to Meta, and that information may be made available to advertisers and used to serve targeted adverts. Meta has explained that it has technology in place to detect and identify data that it is not authorized to receive – such as medical information – which is stripped out and not made available to advertisers if it is detected. However, that does not appear to have always happened, according to the allegations made in the lawsuits.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

There are two issues here: Consent had not been obtained from patients prior to their data being shared with Meta/Facebook and other third parties, and patients’ protected health information was impermissibly disclosed to Meta/Facebook or others when there was no business associate agreement in place, both of which are violations of the Health Insurance Portability and Accountability Act (HIPAA).

Advocate Aurora Health Breach Notification

Advocate Aurora Health is a non-profit health system with dual headquarters in Downers Grove, IL, and Milwaukee, WI. Advocate Aurora Health operates 27 hospitals, more than 500 outpatient locations, and serves around 3 million patients, all of whom may have been affected.

Advocate Aurora Health explained in its breach notification letters that Meta Pixel code was added to its website and applications “to understand how patients and others interact with our websites,” and for “identifying trends and preferences of patients.” Advocate Aurora Health also pointed out that many other hospitals and health systems had also used the code snippets on their websites and applications for similar purposes.

Advocate Aurora Health said it discovered that when individuals interacted with its websites and web applications while signed into their Google or Facebook accounts, in addition to data about their interactions on the websites and applications being shared with Google and Facebook/Meta, their identities would also have been disclosed. In some cases, those interactions may have included disclosures of protected health information.

“We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology,” explained Advocate Aurora Health. When this was discovered, the code snippets were either disabled or removed from its websites and web applications, and an internal investigation was launched to determine the extent to which patient data had been transmitted to third-party vendors.

Advocate Aurora Health explained that, out of an abundance of caution, the decision was taken to issue notifications to all patients who had an Advocate Aurora Health MyChart account, used the LiveWell application, or the scheduling widgets on its web platforms. The extent to which those patients were affected, if at all, depends on their interactions with the website and whether they were logged into their Google or Facebook accounts at the time.

Patients affected may have had one or more of the following types of information transmitted to Google, Facebook/Meta, or others:

  • IP address
  • Dates, times, and/or locations of scheduled appointments
  • Proximity to an Advocate Aurora Health location
  • Information about a patient’s provider
  • Type of appointment or procedure
  • Communications through MyChart, which may have included their first and last name and medical record number
  • Information about whether the patient was insured
  • If a patient had a proxy MyChart account, the patient’s first name and the first name of the patient’s proxy.

Advocate Aurora Health said its investigation indicates no Social Security numbers, financial account information, or credit/debit card information was impermissibly disclosed. Advocate Aurora Health said it has now implemented an enhanced, robust technology vetting process for any tracking technologies that it considers using in the future to ensure similar privacy violations do not occur again.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist