Novant patient data may have been sent to Facebook, hospital system says
North Carolina-based Novant Health has mailed 1.3 million letters to patients, warning that their medical information may have been sent to Facebook and its parent company, Meta.
The health care system, which is headquartered in Winston-Salem, said a Facebook tracking tool called a Meta pixel was placed on its website and patient portal in May 2020. The pixel has since been removed, Novant said, but it may have sent patients’ sensitive personal and health information to Facebook, including a patient’s appointment type and date, physician selected, button/menu selections and content typed into text fields.
Other possibly breached information, according to the health system, includes patient email addresses, phone numbers, computer IP addresses and contact information entered into ‘emergency contacts.’ It did not include patients’ social security numbers or financial information, according to a copy of a letter reviewed by WFAE.
“We want to be as transparent as possible,” Novant wrote in the letter.
Novant said the pixel was placed on its website to help it understand the effects of its ads encouraging people to sign up for the MyChart patient portal. It claims “the pixel was configured incorrectly” and led to the possible data breach.
Several other North Carolina hospital systems — Atrium Health Carolinas Medical Center, Duke University Hospital and WakeMed — also installed the pixel on their websites, according to an investigation published earlier this summer by news website The Markup.
As of early Friday afternoon, an Atrium spokesperson had not responded to an emailed question from WFAE asking whether the pixel was still installed. The Markup reported in June that WakeMed removed its pixel after being contacted by the news organization.
Duke Health has removed the tracker, health system officials said Friday.
“Our review has shown that the pixel was not used on our patient portal,” Duke officials said in an emailed statement. “ … It was also determined that the use of the pixel … on our public-facing websites posed no risk of harm to patients and other site visitors and that notifications were therefore not needed.”
It’s not clear how Facebook or Meta might use the patient data. Meta did not respond to questions from The Markup, and the news site reported it was “unable to determine whether Facebook used the data to target advertisements, train its recommendation algorithms, or profit in other ways.”
In its letter to patients, Novant said it’s implemented “more structure, governance and policies around the use of pixels” and promised it would “take appropriate actions to ensure that this does not happen again.”