North Carolina-based healthcare provider Novant Health has informed its 1.3 million patients that their protected health information may have been compromised, but in a twist, the breach stems from the use of Meta Platforms Inc. tracking pixels.

The health system, which services four U.S. states, had been using Meta tracking pixels — JavaScript code that allows websites to track visitors — on hundreds of hospital websites within patient portals. By itself, that’s not a significant issue, but Novant Health was also using the tracking pixels within password-protect patient portals, Health IT Security reported today.

With Meta’s tracking pixels being used within protected portals, packets of data are believed to have been sent to its Facebook site whenever someone clicked on a button to schedule a doctor’s appointment. Facebook is believed to have received protected health information, which could be linked to a user’s unique IP address.

Novant Health first introduced Meta pixels to its websites in May 2020 as part of a promotional campaign to connect patients to its Novant Health MyChart patient portal. “This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those efforts on Facebook,” the health system explained in a notice to patients.

The health system subsequently determined that sensitive information was disclosed to Meta on June 17 this year. Information sent may have included contact information, appointment details, computer IP addresses, information entered into free text boxes, and button and menu selections.

However, patients at Novant Health are not alone in potentially having their information sent to Facebook. SC Media reported Aug. 1 that the University of California San Francisco Medical Center and Dignity Health Medical Foundation have filed a lawsuit against Meta in Northern California alleging that Facebook was scraping healthcare data from hospital websites without user consent.

Amit Shaked, chief executive officer of cybersecurity company Laminar Ltd., told SiliconANGLE that continuously monitoring who or what has access or is accessing data would have almost instantly uncovered that Meta had full access to sensitive data it shouldn’t have.

“IT teams must prioritize visibility into cloud data in order to prevent third parties from gaining access to sensitive data and cloud data security solutions must continuously protect this data, even as it is copied or moved by developers and data scientists,” Shaked said. “Having full visibility of your data and knowing when a third party has access to sensitive data can help prevent data breaches such as these.”

Photo: Novant Health