Some Novant Health Inc. patients are being notified that their protected health information may have been inappropriately disclosed through a Facebook-related tracking tool as part of a marketing campaign that began in May 2020.
Novant did not disclose on Friday the number of patients affected by pixel tracking, but said it had sent 1.3 million notification letters.
Novant said the tracking involved the use of a Facebook-related pixel, which was “incorrectly configured and may have allowed certain private information to be transmitted to (Facebook’s parent company) Meta from Facebook’s website. Novant Health and the MyChart portal”.
Disclosure of patient information involves:
People also read…
* Patient demographic information, such as email address, phone number, computer IP address, and contact information entered in Emergency Contacts or Advanced Care Planning;
* Type and date of appointment;
* Selections of buttons/menus and/or content entered in free text boxes.
Novant said the disclosure did not affect patients’ Social Security numbers or other financial information “unless entered into a free text box by the user.”
Novant said that among the patients receiving the notification letter will be patients from independent physicians and facilities that use MyChart.
The system said the letter was part of an outreach effort — “to be as transparent as possible” — regarding the disclosure. “The letter sent to each patient will specifically indicate whether such financial information may have been involved.”
Novant said patients at the New Hanover Regional Medical Center in Wilmington Market were unaffected by the disclosure cited in the statement.
Novant and Atrium Health were among 33 major health systems nationwide identified in a June 16 report by The Markup as having certain patient information tracked and made available to Facebook.
The Markup is a non-profit investigative media outlet that specializes in mining technology data for reporting.
The Markup began its report by saying that “a tracking tool, known as Meta Pixel, was installed on the websites of numerous hospitals and collected sensitive patient health information – including details about their medical conditions, prescriptions and doctor’s appointments – and sent it to Facebook.
The tracker sends Facebook “a packet of data each time someone clicks a button to schedule a doctor’s appointment.” The data is connected to an IP address, “creating an intimate reception of the date request for Facebook”, specifies the group.
Novant was among seven systems using Pixel in their patients’ password-protected portals, according to the report.
Ashton Miller, director of media relations for Novant, said on June 16 that the entire Novant system was affected by the tracking tool. Miller said Novant removed the tracker after being contacted by The Markup, which the band confirmed in its report.
Novant said the disclosure issue emerged from a promotional campaign launched in May 2020 “to connect more patients to the Novant Health MyChart patient portal with the goal of improving access to care through virtual visits and providing increased accessibility to counter the limitations of the caring person.”
Facebook’s involvement took the form of Novant advertisements on the website, as well as the tracking pixel placed on Novant’s website “to help understand the success of these efforts on Facebook.”
Novant said once it became aware that the pixel had the ability to pass unintended information to Meta, it was disabled and removed. The system opened an investigation “to find out if, and to what extent, information has been transmitted”.
“Based on its investigation, Novant Health is not aware of any misuse or attempted use of patient information by Meta or any other third party,” Novant said.
Novant said it “has also put in place more structure, governance and policies around pixel usage and is taking steps to ensure this doesn’t happen again.”
For more information, patients can call 704-561-6950 or go to www.novanthealth.org/pixel, as well as https://consumer.ftc.gov/online-security to learn more about best practices to protect their information online. .
Simon Fondrie-Teitler, one of the authors of The Markup’s report, said that “the scope of health data potentially sent to Facebook is generally broader in an electronic health record (EHR) than on a planning page.
“EHRs can have a pretty comprehensive record of a patient’s care.”
Novant was featured in a section of the group’s report. The markup said it created a MyChart account to determine the scope of the tracker.
“We found that the Meta Pixel collected a variety of other sensitive (patient) information.”
“By clicking a button, the pixel prompted the pixel to tell Facebook the name and dosage of a drug in our health record, along with any notes we had entered about the prescription.
The pixel also told Facebook which button we clicked in response to a question about sexual orientation.
Miller sent The Markup a statement that included “we appreciate you contacting us and sharing this information. Our metapixel placement is guided by a third-party vendor, and it has been removed while we continue to investigate this issue. »
In Miller’s statement, she said the vendor was hired “to help us develop and implement a campaign designed to encourage individuals to sign up for MyChart.”
“The goal of this venture was to inspire more people to take advantage of virtual care opportunities, especially as COVID had a significant impact on how people preferred to receive care, as well as our resources to provide in-person care.
“We used tracking pixels to determine how many people signed up for MyChart, not what they did after logging in.”
Miller said Novant “takes the privacy and care of patient information very seriously…and we appreciate the trust our patients place in us to keep their medical information private.”
The only mention of Atrium in the report is confirmation of its use of the tracker, which was still active at the time of the report’s publication.
Although Atrium owns and operates Wake Forest Baptist Medical Center, only its flagship medical center in Charlotte, Carolinas was mentioned.
Atrium said in a June 16 statement that “because privacy is of critical importance to us, we have implemented strict and effective safeguards in our digital environment. We will continue to monitor and validate the tools we use to better serve our communities.
The Charlotte Observer reported that Atrium’s planning page was sending data to Facebook starting June 16. She asked patients to enter the condition they were seeking care for, their age, and their location.
Other North Carolina health systems listed by the group as providing information to Facebook were Duke University Hospital and WakeMed.
The group said WakeMed removed the tracker after being contacted and before the report was published. Duke University told the group it had removed the tracker since the report was published.
The Charlotte Observer reported that Atrium, Duke University, Novant and WakeMed had more than 4 million admissions and outpatient appointments in 2020, according to data from the American Hospital Association.
The researchers determined that UNC Rex and UNC hospitals did not participate, while Cone Health was not included in the review of America’s Top 100 Hospitals.
Cone said in a statement that “like many companies, we use Facebook Pixel to determine the effectiveness of our digital efforts.”
“However, Cone Health does not have advertising pixels – Facebook Pixel included – our patient portal MyChart.”