Healthcare system Advocate Aurora Health data breach potentially impacted 3M patients

Healthcare system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients.

The US-based hospital healthcare system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients. The company is notifying the impacted individuals.

The healthcare system operates 26 hospitals in Wisconsin and Illinois. The root cause of the data breach is the improper use of Meta Pixel on the websites of the organizations. The Meta Pixel is a snippet of JavaScript code that allows administrators to track visitor activity on their websites.

The compromised websites contained sensitive personal and medical information entered by the patients.

Exposed patients’ data includes:

• IP address
• Dates, times, and locations of scheduled appointments
• Proximity to an AAH location
• Medical provider information
• Type of appointment or procedure
• Communications between MyChart users, which may have included first and last names and medical record numbers
• Insurance information
• Proxy account information

Privacy experts pointed out that the Meta Pixel code, which is also used by many other hospitals, sends sensitive data to Meta that uses them for marketing purposes.

“In an effort to deliver high quality services to its community, Advocate Aurora Health uses the services of several third-party vendors to measure and evaluate information concerning the trends and preferences of its patients as they use our websites. To do so, pieces of code known as “pixels” were included on certain of our websites or applications. These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population.” reads the Notice of data breach published by the company. “We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology.”

Advocate Aurora Health assumed that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health’s platforms, may have been impacted. The way users may have been impacted depends on multiple factors, such as their choice of browser, the configuration of their browsers, the management of their cookies, and whether they have Facebook or Google accounts.

The healthcare system has disabled the Pixel tracker on all websites and applications and is evaluating how to mitigate the risk of data breach in the future

Advocate Aurora Health recommends patients block or delete cookies or using browsers that support privacy-protecting operations.

Follow me on Twitter: @securityaffairs and Facebook

[adrotate banner=”9″]

[adrotate banner=”12″]

Pierluigi Paganini

(SecurityAffairs – hacking, Advocate Aurora Health)

[adrotate banner=”5″]

[adrotate banner=”13″]