In June, many of us first became aware that Facebook was receiving sensitive medical information from hospital websites. Of 33 hospital websites that The Markup tested, 10 of them had trackers (“Meta Pixels”) which sent information to Facebook when a patients clicked a button on the hospital’s site to schedule an a medical appointment.
This month, Novant Health sent notifications to more than 1.3 million patients about what they reported as “unauthorized access/disclosure” of protected health information. Novant reported the incident to HHS on behalf of Novant Health ACE and as a contractor for NMG Services Inc.
A press release issued by Novant on August 19 explains their good intentions at the time:
In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goal of improving access to care through virtual visits and provide increased accessibility to counter the limitations of in-person care. This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook. A pixel is a piece of code that organizations commonly use to measure activity and experiences on their website. In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.
In terms of what kinds of PHI may have been transmitted, Novant’s investigation found that for any patient, it might include:
demographic information such as email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning; and information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes. The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user. The letter sent to each patient will specifically state whether such financial information may have been involved.
Their full press release can be accessed here.