Attorney Aurora Health’s Data Breach Potentially Impacted 3M Patients Safety Matters

Attorney Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients.

US hospital health system Advocate Aurora Health (AAH) disclosed a data breach that exposed the personal data of 3,000,000 patients. The company notifies the persons concerned.

The health system operates 26 hospitals in Wisconsin and Illinois. The root cause of the data breach is the misuse of Meta Pixel on organization websites. The Meta Pixel is a snippet of JavaScript code that allows administrators to track visitor activity on their websites.

The compromised websites contained sensitive personal and medical information entered by patients.

Data from exposed patients includes:

  • IP adress
  • Dates, times and locations of scheduled meetings
  • Proximity to an AAH site
  • Medical Provider Information
  • Type of appointment or procedure
  • Communications between MyChart users, which may have included first and last names and medical record numbers
  • Insurance Information
  • Proxy account information

Privacy experts have pointed out that the Meta Pixel code, which is also used by many other hospitals, sends sensitive data to Meta which uses it for marketing purposes.

“In an effort to provide high-quality services to its community, Advocate Aurora Health uses the services of several third-party vendors to measure and evaluate information regarding its patients’ trends and preferences as they use our websites. To do this, pieces of code called “pixels” have been included on some of our websites or applications. These pixels or similar technologies were designed to collect information that we review in aggregate so that we can better understand patient needs and preferences to provide necessary care to our patient population. read it Data Breach Notice published by the company. “We have learned that pixels or similar technologies installed on our patient portals available through the MyChart and LiveWell websites and apps, as well as on some of our scheduling widgets, transmit certain patient information to third-party vendors who provide us with pixel technology. ”

Advocate Aurora Health assumed that all patients with an Advocate Aurora Health MyChart account (including LiveWell app users), as well as all patients who used scheduling widgets on Advocate Aurora Health platforms, could have been affected. How users may have been impacted depends on several factors, such as their browser choice, their browser settings, their cookie management, and whether they have Facebook or Google accounts.

Health System has disabled the Pixel tracker on all websites and apps and is evaluating how to mitigate the risk of data breaches in the future

Aurora Health Advocate recommends that patients block or delete cookies or use browsers that support privacy-enhancing operations.

Follow me on Twitter: @securityaffairs and Facebook

Pierluigi Paganini

(Security cases hacking, attorney Aurora Health)

Comments are closed.