Certain Novant Health Inc. patients are being notified that their protected health information may have improperly disclosed through a tracking tool linked to Facebook as part of a marketing campaign that began in May 2020.
Novant did not disclose Friday how many patients were affected by the pixel tracking, but said it has mailed 1.3 million notification letters.
Novant said the tracking involved the use of a Facebook-related pixel, which was “configured incorrectly and may have allowed certain private information to be transmitted to (Facebook parent company) Meta from the Novant Health website and MyChart portal.”
The patient information disclosure involves:
People are also reading…
* Patient’s demographic information, such as email address, phone number, computer IP address and contact information entered into emergency contacts or advanced care planning;
* Appointment type and date;
* Physician selected;
* Button/menu selections, and/or content typed into free text boxes.
Novant said the disclosure did not affect patients’ Social Security numbers or other financial information “unless it was typed into a free text box by the user.”
Novant said among patients receiving the notification letter will be patients of independent physicians and facilities who use MyChart.
The system said the letter is part of an outreach effort — “to be as transparent as possible” — about the disclosure. “The letter sent to each patient will specifically state whether such financial information may have been involved.”
Novant said patients at New Hanover Regional Medical Center in the Wilmington market were not affected by the disclosure cited in the statement.
Novant and Atrium Health were among 33 major healthcare systems nationwide identified in a June 16 report by The Markup as having certain patient information tracked and made available to Facebook.
The Markup is a nonprofit investigative media outlet that specializes in mining technology data for its reports.
The Markup began its report by saying that “a tracking tool, known as Meta Pixel, was installed on many hospitals’ websites and has been collecting patients’ sensitive health information — including details about their medical conditions, prescriptions and doctor’s appointments — and sending it to Facebook.”
The tracker sends Facebook “a packet of data whenever a person clicked a button to schedule a doctor’s appointment.” The data is connected to an IP address, “creating an intimate receipt of the appointment request for Facebook,” the group said.
Novant was among seven systems using Pixel in their patients’ password-protected portals, the report said.
Ashton Miller, Novant’s director of media relations, said June 16 that the entire Novant system was affected by the tracking tool. Miller said Novant removed the tracker after being contacted by The Markup, which the group confirmed in its report.
Novant said the disclosure issue emerged from a promotional campaign it began in May 2020 “to connect more patients to the Novant Health MyChart patient portal with the goal of improving access to care through virtual visits and provide increased accessibility to counter the limitations of in-person care.”
Facebook’s involvement was in the form of Novant advertisements on the website, along with the tracking pixel placed on Novant’s website “to help understand the success of those efforts on Facebook.”
Novant said that once it became aware that the pixel had the capability to transmit unintended information to Meta, it was disabled and removed. The system began an investigation “to learn whether, and to what extent, information was transmitted.”
“Based on its investigation, Novant Health is unaware of any improper use or attempted use of any patient information by Meta or any other third party,” Novant said.
Novant said it “has also implemented more structure, governance and policies around the use of pixels and is taking actions to ensure this does not happen again.”
For more information, patients can call 704-561-6950 or go to www.novanthealth.org/pixel, as well as https://consumer.ftc.gov/online-security to learn more about best practices to protect their information online.
Simon Fondrie-Teitler, one of The Markup’s authors on the report, said that “the scope of health data potentially being sent to Facebook is generally wider inside an electronic health record (EHR) than on a scheduling page.
“EHRs can have a fairly comprehensive record of a patient’s care.”
Novant was featured in a section of the group’s report. The Markup said it created a MyChart account to determine the breadth of the tracker.
“We found the Meta Pixel collecting a variety of other sensitive (patient) information.”
“Clicking on one button prompted the pixel to tell Facebook the name and dosage of a medication in our health record, as well as any notes we had entered about the prescription.
The pixel also told Facebook which button we clicked in response to a question about sexual orientation.”
Miller sent The Markup a statement that included “we appreciate you reaching out to us and sharing this information. Our Meta pixel placement is guided by a third-party vendor, and it has been removed while we continue to look into this matter.”
In Miller’s statement, she said the vendor was hired “to help us develop and implement a campaign designed to encourage individuals to sign up for MyChart.”
“The goal of this endeavor was to get more people to take advantage of virtual care opportunities, especially since COVID was having a significant impact on how people preferred to receive care, as well as on our resources to provide in-person care.
“We used tracking pixels to determine how many people signed up for MyChart, not what they did after they signed in.”
Miller said that Novant “takes privacy and the care of patient information very seriously ... and we value the trust our patients place in us to keep their medical information private.”
The only mention of Atrium in the report is confirmation of its use of the tracker, which still was active when the report was published.
Although Atrium owns and operates Wake Forest Baptist Medical Center, only its Charlotte flagship Carolinas Medical Center was mentioned.
Atrium said in a June 16 statement that “because privacy is critically important to us, we have stringent, effective safeguards in place in our digital environment. We will continue to monitor and validate the tools we use to best serve our communities.”
The Charlotte Observer reported that Atrium’s scheduling page was sending data to Facebook as of June 16. It asked patients to input the condition they’re seeking care for, their age and their location.
Other N.C. healthcare systems listed by the group as providing information to Facebook were Duke University Hospital and WakeMed.
The group said WakeMed removed the tracker after being contacted and before the report was released. Duke University told the group it has removed the tracker since the publication of the report.
The Charlotte Observer reported that Atrium, Duke University, Novant and WakeMed recorded more than 4 million admissions and outpatient appointments in 2020, according to data from the American Hospital Association.
Researchers determined that UNC Rex and UNC Hospitals did not participate, while Cone Health was not included in the review of the top-100 U.S. hospitals.
Cone said in a statement that “like a lot of companies, we use Facebook Pixel to determine the effectiveness of our digital efforts.”
“However, Cone Health does not have any advertising pixels — Facebook Pixel included — our MyChart patient portal.”