Skip links

Novant Health admits leak of 1.3m patients’ info to Facebook

Novant Health confirmed that it may have disclosed 1.3 million patients’ sensitive data, including email addresses, phone numbers, financial information – even doctor’s appointment details – to Meta.

This admission by the health-care network, which spans 800 hospitals and clinics across North Carolina, South Carolina and Georgia, follows a class action lawsuit against Meta that claims Facebook illegally received patient data from at least 664 hospital systems or medical providers.

Novant finally copped to sending letters to “some of its patients following possible disclosure of protected health information (PHI) resulting from an incorrect configuration of a pixel, an online tracking tool,” in a statement released late on Friday. A spokesperson later confirmed to The Register that 1.3 million patients received these letters.

According to the healthcare firm, leaked data also potentially included computer IP addresses, emergency contact information, advanced care planning contacts, appointment types and dates, patients’ physicians, and various information types into text boxes or selected from drop-down menus and buttons via its patient portal.

“The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user,” the statement said. “The letter sent to each patient will specifically state whether such financial information may have been involved.”

Novant added that it’s not aware of any “improper use or attempted use” of patient info by Meta or any other third party. 

However, considering that Meta, after being served with a subpoena, handed over Facebook chats between a Nebraska mother and her daughter that were later used to build a criminal case against the teen for getting a now-illegal abortion in her home state, “improper use” sounds very subjective.

Following the breach, the healthcare giant added better “structure, governance and policies around the use of pixels and is taking actions to ensure this does not happen again.”

Here’s what did happen, according to Novant.

Back in May 2020, the healthcare corporation launched a promotional campaign to get more patients to sign up for its patient portal, ostensibly to make it easier for patients to receive care virtually at a time when in-person doctors’ visits were extremely limited by the COVID-19 pandemic.

This campaign involved Facebook advertisements and a tracking pixel — this is a piece of code used to track users activity on a particular website for marketing and analytics purposes —  on the Novant Health website. The pixel was supposed to track the Facebook ad campaign’s success. But this didn’t quite go as planned. 

“In this case, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal,” Novant admitted.

Once Novant realized the pixel had been sending patient information to Meta, the health-care company said it “immediately” disabled and removed the code, and then launched an investigation into what information had been shared with the social media giant.

“Based on that investigation, Novant Health determined on June 17, 2022, that it was possible sensitive information or PHI might have been disclosed to Meta, depending upon a user’s activity within the Novant Health website and MyChart portal.”

Shortly after, an anonymous hospital patient filed a class-action lawsuit against Meta, alleging Facebook received patient data from at least 664 hospital systems or medical providers in violation of the Health Insurance Portability and Accountability Act.

“Facebook monetizes the information it receives through the Facebook Pixel deployed on medical providers’ web properties by using it to generate highly-profitable targeted advertising on and off Facebook,” the lawsuit claims [PDF].

According to Meta’s Terms and Conditions around sensitive health-care data, its policies and filters block personal data and do not use it in their ad manager software.

It says: “If Facebook’s signals filtering mechanism detects Business Tools data that it categorizes as potentially sensitive health-related data, the filtering mechanism is designed to prevent that data from being ingested into our ads ranking and optimization systems.” ®