Advocate Aurora Health alerted federal regulators that a breach of its systems compromised the sensitive health information of 3 million patients.
The Midwest health system notified HHS’ Office for Civil Rights of the breach on Oct. 14, according to federal breach records.
On its website, Advocate Aurora said that it used third-party vendors to track patient trends and preferences as they interacted with the system’s websites and applications. To gather this information, Advocate Aurora has code on its sites and applications known as pixels.
Advocate Aurora said it recently learned that in certain instances those pixels sent patient information to third-party analytics vendors. Pixels were included on patient portals such as MyChart and LiveWell.
Information like dates and times of scheduled appointments may have been shared, as well as communications through the patient portal MyChart.
“Based on our investigation, no social security number, financial account, credit card, or debit card information was involved in this incident,” Advocate Aurora said in an online FAQ.
The breach hit patients differently but especially affected those who were concurrently logged into Facebook or Google accounts when interacting on those sites, Advocate Aurora explained in the FAQ.
A June report from The Markup, a nonprofit newsroom focused on data-driven investigations, found that Facebook received sensitive medical information from hospital websites using pixel tracking.
The Advocate Aurora breach comes on the heels of a ransomware attack against another major health system — CommonSpirit Health — that has disrupted care at multiple facilities.