Governance & Risk Management , HIPAA/HITECH , Privacy
Second Health Entity Reports Breach Tied to Meta Pixel UseNorth Carolina Organization Also Facing Pending Privacy Lawsuit Related to Pixel
A second healthcare entity is treating its past use of Facebook's Pixel website tracking code in patient portals as a data breach requiring regulatory notification.
See Also: Live Webinar | Breaking Down Security Challenges so Your Day Doesn’t Start at 3pm
North Carolina-based WakeMed Health and Hospitals reported to the Department of Health and Human Services on Oct. 14 an unauthorized access/disclosure breach affecting nearly 500,000 individuals.
The entity's breach notification statement says "select data" - including email addresses, phone numbers, novel coronavirus vaccine status and appointment information - may have been transmitted to Facebook parent Meta through the social media's deployable tracking code.
Affected information did not include Social Security numbers or other financial information unless it was entered into a free text box by the user, the notification says.
WakeMed says it began using Pixel in 2018 and discontinued its use this past May. In an emailed statement, a spokeswoman says the organization is unaware of any improper use or attempted use of any patient information by Meta or any other third party. “According to its terms and conditions, Meta has policies and filters that block sensitive personal data from being incorporated into its advertising programs and does not use any such information,” the spokeswoman says.*
In reporting itself to the HHS' Office for Civil Rights for a data breach by web tracking technology, WakeMed joins another large healthcare entity in seeking to be proactive with regulators. Advocate Aurora Health, a Midwest health system, reported earlier this month its use of Pixel as a data breach affecting 3 million individuals.
Facebook Pixel and similar tracking tools is drawing scrutiny by lawmakers, privacy advocates and class action attorneys especially given heightened sensitivities over health data privacy in the wake of the Supreme Court's June decision overturning the nationwide right to an abortion.
"Used in the manner intended, these tracking pixels are able to gather and transmit quite a bit of information about the user," says Michael Hamilton, CISO of security firm Critical Insight and former CISO of the city of Seattle. In the case of a patient portals, this can include sensitive health information entered and viewed by patients that ultimately gets transmitted to third parties, he says.
"Consumer activity tracking for the purpose of marketing is not a fit for the health sector," he adds.
Sen. Mark Warner, D-Virginia, wrote to Meta CEO Mark Zuckerberg last Tuesday to express concern over the company's ability to obtain through its website tracking tools sensitive health data, including medial conditions, appointment dates and treating physician names.
WakeMed is a co-defendant in at least one proposed class action lawsuit filed in a North Carolina federal court involving its use of Pixel.
That lawsuit, filed against Meta Platforms, WakeMed, and Duke University Health System on Sept. 1, alleges the medical systems violated medical privacy by the use of Pixel in the websites and patient portals.
Neither WakeMed, Duke University Health nor Meta respond to Information Security Media Groups request for comment.
Meta also faces at least four other proposed class action lawsuits about to be consolidated in the Northern District of California related to its use of Pixel and the privacy of health data.
*Update Nov. 1, 2022 21:44 UTC: Adds comment from WakeMed spokeswoman.