A hospital network widely used in two U.S. states might have inadvertently leaked personal information about 3 million patients to Meta, Google and other Big Tech companies. The hospital network, which covers both Illinois and Wisconsin, recently reported the web tracker leak to the U.S. government’s Health and Human Services department.
Hospital Web Tracker Leak In Illinois and Wisconsin Affects 3 Million Patients
Advocate Aurora Health (AAH) has comprises 27 hospitals and 32,000 doctors across Illinois and Wisconsin. The medical provider network had placed analytics code, known as web trackers, on its online portals. The intent was to get details on how many patients use the portals, what services they use them for, and so forth.
According to The Register, the hospital network discovered a potential web tracker leak that may have sent personal data for more than 3 million patients to Big Tech. The trackers, also known as pixels because they can be loaded on pages as just single invisible pixels, could have transmitted information back to the vendors providing the tool.
We learned that pixels or similar technologies installed on our patient portals … transmitted certain patient information to the third-party vendors that provided us with the pixel technology. [We have] decided to assume that all patients with an [AAH] MyChart account … as well as any patients who used scheduling widgets on [our] platforms, may have been affected.
An Extensive Potential Breach
AAH told The Register that what information was leaked depended heavily on what patients were doing on the portal. It also depended on what privacy safeguards users had on their browsers, such as blocking, clearing or allowing cookies.
Other factors affecting the extent of the breach includes whether the patients were logged into Facebook or Google, but the breadth of data that could have been transmitted is pretty extensive.
- IP addresses,
- Appointment information including scheduling and type,
- Proximity to an AAH facility,
- Provider information,
- Digital messages,
- First and last names,
- Insurance data, and
- MyChart account information.
Financial and Social Security information, AAH said, was not compromised. Still, that’s a wealth of personally identifiable information to just send willy-nilly to the likes of Google or Meta/Facebook.
Data Not Grabbed by Hackers, But It’s Still Troublesome
The good news is this information doesn’t appear to have been snatched up by hackers. Also, AAH removed the tracking pixels as soon as it realized they were leaking data. It does make sense for the hospital network to hope to gain demographic and usage details about its online portals.
However, it still represents a significant privacy concern. Despite Big Tech companies’ protests to the contrary, there is significant worry that such information could be misused. At a minimum, the companies benefiting from the breach could use it to target advertisements in an age where such marketing is increasingly difficult.