This article is more than 1 year old

Oops, web trackers may have leaked 3 million patients' info

Scream with us: Aaaaaa-AAH

A hospital network in Wisconsin and Illinois fears visitor tracking code on its websites may have transmitted personal information on as many as 3 million patients to Meta, Google, and other third parties.

Advocate Aurora Health (AAH) reported the potential breach to the US government's Health and Human Services. As well as millions of patients, AAH has 27 hospitals and 32,000 doctors and nurses on its books.

The company has no connection to UK health company AAH (All About Health).

Essentially, AAH is saying that it placed analytics code on its online portals to get an idea of how many people visit and login to their accounts, what they use, and so on. It's now determined that code – known also as trackers or pixels because they may be loaded onto pages as invisible single pixels – may have sent personal info from the pages patients had open to those providing the trackers, such as Facebook or Google.

You might imagine these trackers simply transmit a unique identifier and IP address for the visitor and some details about their actions on the site for subsequent analysis and record keeping. But it turns out these pixels can send back all sorts of things like search terms, your doctor's name, and the illnesses you're suffering from.

In this case, AAH believes the data transmission warrants raising an alarm.

"We learned that pixels or similar technologies installed on our patient portals … transmitted certain patient information to the third-party vendors that provided us with the pixel technology," AAH said. "[We have] decided to assume that all patients with an [AAH] MyChart account … as well as any patients who used scheduling widgets on [our] platforms, may have been affected."

We're told that what was taken depended a lot on what you were doing on the portals – so it sounds as though the trackers were logging individual activity on pages (user searched for doctor, user booked appointment, etc) rather than blanket harvesting all patient records automatically:

Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user.

The data that may have been sent, though, is extensive: IP addresses, appointment information including scheduling and type, proximity to an AAH facility, provider information, digital messages, first and last name, insurance data, and MyChart account information may all have been exposed. AAH said financial and Social Security information was not compromised.

Everyone else is tracking, so why can't we?

Trackers from Meta, Google, TikTok, and others can be used for a range of things, depending on which is used: measuring audience; working out how effective ads are by seeing how many clicks lead to purchases; building profiles on people to target them with ads tailored to their interests; and so on.

Earlier this year, it was shown that Meta's pixels could collect a lot more than basic usage metrics, transmitting personal data to Zuckercorp even for people who didn't have Facebook accounts. The same is true of other trackers, such as TikTok's, which can gather personal data regardless of whether a website's visitor has ever set a digital foot on the China-owned social network.

Generally speaking, site and app owners have control over how much or how little is collected by the trackers they place on their pages. You can configure which activities trigger a ping back to the pixel provider, such as Meta, which you can then review from a backend dashboard.

While the info exposed by AAH was not grabbed by hackers, it is now in the hands of Big Tech, which is a privacy concern no matter what those technology companies say.

AAH said it – like so many other organizations, government and private – was using the trackers to aggregate user data for analysis, and it only seems to have just occurred to the nonprofit that this data is private health information and shouldn't really be fed into Meta or Google. "In an effort to deliver high quality services to its community, [AAH uses] several third-party vendors to measure and evaluate information concerning the trends and preferences of its patients as they use our websites," the healthcare group said.

Like a similar incident in August at Novant Health, once AAH realized the pixels were leaking patient data, it removed the tracking code from its webpages and is still evaluating how to prevent a future snafu. As to whether it would swear off such tracking in the future, AAH didn't want to go that far. 

"To the extent any tracking technologies are proposed in the future, such technologies will be evaluated under Advocate Aurora's enhanced, robust technology vetting process consistent with our commitments to patient privacy," the hospital group said. ®

More about


Send us news

Other stories you might like