Hospital Data Breach

Published On: October 23, 2022Categories: Cyber Briefs

On Thursday, October 20, Advocate Aurora Health (AAH), a healthcare system based in Wisconsin and Illinois, notified its patients of a breach that exposed the Personal Health Information (PHI) of 3,000,000 patients. The leak was caused by the improper use of Meta Pixel on AAH’s website, where patients log in and enter medical and personal information. The Meta Pixel is a snippet of JavaScript code that allows you to track visitor activity on your website. (Meta)

Privacy concerns around Meta Pixel:

The SensCy cybersecurity team has been monitoring the rise of data breaches in the healthcare industry. The latest breach joins a long list of healthcare data breaches due to Meta Pixel’s misuse. Meta Pixel is used by many hospitals in the U.S. and is currently facing class action lawsuits for tracking, exposing, and using healthcare data to target ads. According to the lawsuit, “neither the hospitals nor Meta informs the patients about the data collection, no user consents are requested, and there is no visible indication of this process.” SensCy believes it is highly likely that more data breaches will accrue in the near future as healthcare providers will continue to be targeted by threat actors, and they will continue to use third-party tools such as Meta Pixel.

AAH notified its patient of the data breach, providing a FAQ, and said the following information might have been exposed via Meta Pixel: IP address; Dates, times, and locations of scheduled appointments; Proximity to an AAH location; Medical provider information; Type of appointment or procedure; Communications between MyChart users, which may have included first and last names and medical record numbers; Insurance information; Proxy account information.

AAH has disabled the Pixel tracker and is implementing new safeguards to prevent similar incidents.

SensCy advised patients to use their web browser’s tracker-blocking features or use incognito mode when accessing medical portals.

Related Posts

  • November 29, 2022

    Categories: Cyber Briefs

    In today’s SensCy Cyber Brief, your SensCy team is investigating Business Email Compromise (BEC) fraud and methods used by threat actors that could leave your [...]

  • November 4, 2022

    Categories: Cyber Briefs

    In today’s SensCy Cyber Brief, your SensCy team recommends Google Chrome Browser users to install the new Chrome Version immediately. The new update was released [...]

  • October 24, 2022

    Categories: Cyber Briefs

    On Wednesday, October 19, Microsoft confirmed that it accidentally exposed information about thousands of customers following a misconfiguration that left an endpoint publicly accessible without [...]