Facebook ad-tracking script exposes 1.36 million patients’ healthcare data
Novant Health has disclosed (access denied from South Africa) a data leak affecting 1,362,296 US-based individuals due to a misconfiguration of their Meta Pixel ad tracking JavaScript code, BleepingComputer reported.
Meta Pixel tracks user activity and advertising performance when incorporated into a website’s JavaScript code. Meta Platforms is Facebook’s parent company.
Recent analyses showed that the code tracks user web form inputs, including passwords, contact information, and credit card details.
“Immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta, Novant Health disabled and removed the pixel as a precaution and began an investigation to learn whether, and to what extent, information was transmitted.”
“Based on that investigation, Novant Health determined on June 17, 2022, that it was possible [protected health information] might have been disclosed to Meta, depending upon a user’s activity within the Novant Health website and MyChart portal.”
Information possibly sent to Facebook includes patients’ email addresses, phone numbers, IP addresses, contact information, appointment types and dates, selected physician, button or menu selections, and content typed into free text boxes.
Novant Health said patients’ social security numbers or other financial information were not captured unless users typed it in a free text box.
The healthcare services provider says it sent notices to affected individuals after an investigation concluded on 17 June.
It incorporated the Meta Pixel into its Covid-19 Facebook advertisement campaign starting in May 2020.
“This campaign involved Facebook advertisements and a Meta tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook.”
Novant Health reassured its clients that there was no evidence showing that Meta or any third parties acted on the compromised information or misused it.
“According to Facebook’s Terms and Conditions, they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager,” Novant Health said.
The disclosure stated that Novant Health contacted Meta “several times and through different channels” but never got a response.