Leaked data potentially included patients’ email addresses, phone numbers, and device IP addresses

Healthcare provider Novant issues data breach warning after site tracking pixels sent patient information to Meta servers

Novant Health, a US healthcare provider, is warning patients of a potential data breach resulting from an incorrect configuration of an online tracking tool from the company behind Facebook.

Novant, which operates more than 50 healthcare facilities across North Carolina, said it placed a snippet of JavaScript code on its website as part of a promotional campaign during the early stages of the coronavirus pandemic.

The code was for Meta Pixel, a digital tracking tool that can be used by organizations to help them gauge the success of Facebook marketing campaigns.

However, the tracking pixel in question was “configured incorrectly and may have allowed certain private information to be transmitted to Meta” from the Novant Health website and patient portal, the company said.

Losing track

In a recent privacy statement, Novant Health said that it removed the pixel as soon as it discovered that it had the capability to transmit information to Meta.

Upon further investigation, the healthcare provider said that, depending on a user’s activity within the Novant Health website and MyChart portal, the leaked data could include email address, phone number, computer IP address, and healthcare appointment information.

“The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user,” Novant said.

Read more of the latest healthcare security news

The company said it has mailed letters to “some patients” following the discovery of the pixel misconfiguration. According to local press reports, more than 1.3 million individuals have been notified.

Patients at Novant’s New Hanover Regional Medical Center are not impacted. The incident, however, may affect other individuals who aren’t registered Novant Health patients but received a Covid-19 vaccine at a Novant facility.

“Based on our investigation, we do not have any evidence that this information was acted on by Meta or any other third party,” Novant said.

“We also have implemented more structure, governance, and policies around the use of pixels and promise that we will take appropriate actions to ensure that this does not happen again.”

RECOMMENDED Microsoft Edge deepens defenses against malicious websites with enhanced security mode