WakeMed Health and Hospitals (“WakeMed”) has sent breach notification letters to nearly 495,000 patients notifying them that their PHI may have been impermissibly disclosed to Meta/Facebook. This breach was due to the use of the Meta Pixel tracking code of WakeMed’s website.
The Meta Pixel code was added to WakeMed’s website and patient portal in March 2018. The North Carolina-based health care provider stated that the code – which effectively collects user information via cookies – was added to the website to “better connect members of our community with WakeMed’s MyChart patient portal, thereby improving access to their health care, and to help improve the WakeMed website.”
However, as well as collecting user information, the code transmits data to Meta/Facebook. This data may contain sensitive information about patients, some of which could be used to trace the identity of individuals. The data transmitted will depend on the patient and how extensively they used the website. WakeMed has stated that the types of information that may have been sent to Meta/Facebook include email addresses, phone numbers, contact details, IP addresses, information about scheduling appointments (including upcoming appointments), emergency contact details, COVID vaccination status, and any information entered by the patient into free-form boxes.
Despite giving this warning to patients, WakeMed could not state whether Meta/Facebook actually used any of the information transmitted via the code. Meta has previously stated that, unless it has been authorized to use the data, it will not use or further the data.
After discovering the issue with using Meta Pixel, WakeMed removed the code from its website in May 2022. WakeMed has also stated that it has implemented new review procedures to ensure that any code used in the future will not have the same issues. Nevertheless, the North Carolina Attorney General has launched an investigation into WakeMed and its possible data breach.
WakeMed has stated:
“WakeMed has initiated a comprehensive review of our policies and procedures related to gathering website user data and will make changes as needed to enhance privacy and prevent a situation like this from happening in the future.
At this time, WakeMed is unaware of any improper use or attempted use of any patient information by Meta or any other third party. According to its terms and conditions, Meta has policies and filters that block sensitive personal data from being incorporated into its advertising programs and does not use any such information.”
WakeMed is not the only healthcare organization caught using Meta Pixel code. A class action lawsuit was filed earlier this year in California, alleging that Meta collected PHI from healthcare organizations and sold it to third parties. In addition, the Markup/STAT estimates that around one-third of the top 100 hospitals in the US have Meta Pixel code on their websites, potentially jeopardizing patient privacy.