Novant Confirms Healthcare Data Leak of 1.3 million Patients to Facebook

Patient Health Information from healthcare provider Novant Health’s website was sent to Facebook due to a faulty configuration between the tracking code ‘Pixel’. Sensitive information like the patient’s email address, phone number, emergency contacts, advanced care planning, appointment type, appointment date, selected physician, and IP address was transmitted to Facebook. 

Novant Health informs affected individuals 

Novant Health apologized to its patients and has mailed letters to the affected individuals. This transmission happened because of a faulty configuration of Pixel, which was used on the Novant Health website. Pixel by Facebook was added to Novant’s website to trace users’ activities using Novant Health searches on Facebook.  

The Pixel campaign, which was operational to connect patients during the pandemic, included 64 healthcare service providers. The leak means that the details of over 1,362,296 individuals are at stake. Any details filled by patients or others in the form are vulnerable to abuse if accessed by a third party. Beyond the details on the form, any other information filled in the free text box may have also been sent to Facebook. 

Novant Health removes Pixel 

Novant Health learned about the data breach in May this year and then took necessary actions to stop the flow of information to Facebook in late May 2022. The health care provider maintained on their website that as soon as they learned about the data breach, they disabled and removed the Pixel. They also investigated to understand the extent of the breach.  

Novant Health maintained that Facebook did not respond to the multiple communications attempts made by the company related to the exposed data.

Why Novant Health and MyChart used Pixel? 

Novant Health MyChart patient portal was an initiative launched during the onslaught of the COVID-19 pandemic. Since reaching the doctors in person became difficult during those times, Novant Health collaborated with MyChart to start a campaign to assist users in getting a virtual appointment with a doctor. To do this, advertisements were made on Facebook as more people have access to the social networking website.  

The results of the interactions people had on Facebook while looking for a doctor’s appointment at Novant health were captured by the Pixel code. The data was expected to reach Novant Health. However, it also reached Facebook because of the faulty configuration in Pixel. The reverse flow of sensitive patient information from Novant Health and MyChart Portal to Facebook led to the breach of PHI.