Misconfigured Meta Pixel exposed healthcare data of 1.3M patients

Gandalf_The_Grey

Level 64
Thread author
Verified
Honorary Member
Top poster
Content Creator
Well-known
Apr 24, 2016
5,350
U.S. healthcare provider Novant Health has disclosed a data breach impacting 1,362,296 individuals who have had their sensitive information mistakenly collected by the Meta Pixel ad tracking script.

Meta Pixel (formerly Facebook Pixel) is a JavaScript tracking script that Facebook advertisers can add to their site to track advertising performance.

The unauthorized patient data access and disclosure began in May 2020, when Novant ran promotional campaigns for COVID-19 vaccination, which involved Facebook advertisements.

To track these advertisements, the healthcare company added the Meta Pixel code to their site to measure how well the advertisements worked.

As explained in a statement published late last week, Meta pixel was misconfigured on Novant Health's site and the 'MyChart' portal, transmitting privacy information to Meta and its advertising partners.

The information that may have been exposed through Meta Pixel includes the following:
  • Email address
  • Phone number
  • IP address
  • Emergency contact information
  • Appointment type and date
  • Selected physician
  • Portal menu selections
  • Any content typed into the "free text" boxes
The MyChart portal is used by 64 healthcare service providers in the U.S., allowing their patients to book appointments with doctors, request prescription refills, contact their providers, and more.

Unfortunately, this means that even those who haven't used Novant's services directly might still have been exposed due to the tracker's misconfiguration.

Novant finally removed Meta pixel from its sites and portal in May 2022, when its I.T. teams realized the mistake, so the exposure lasted for two years.

"Immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta, Novant Health disabled and removed the pixel as a precaution and began an investigation to learn whether, and to what extent, information was transmitted, " explains a disclosure on the Novant Health website.

The firm says it has determined the impacted individuals after a lengthy investigation that was concluded on June 17, 2022, so only those who received notices may consider themselves breached.

Novant says it has reached out to Meta several times to delete the healthcare data but did not receive a response.

"We reached out to Meta Facebook several times and through different channels, but never got a response," Novan Health concludes in their advisory.

Bleeping Computer has contacted Facebook for a comment on the above, and we will update this piece as soon as we hear back.
 
Top