Legal

Patient Files Class-action Suit Against Advocate Aurora Health Following Data Breach

The patient is alleging that the patient portal he used to communicate with his doctors at Advocate Aurora and to schedule appointments used a pixelated code that also enabled logging in via Facebook and then shared data with Facebook.

Data breach, cybersecurity, hacking,

A patient affected by a data breach at Advocate Aurora Health has sued the healthcare system in a class-action lawsuit, claiming his private information was shared with Facebook in a breach that could have affected three million patients.

The patient is alleging that the patient portal he used to communicate with his doctors at Advocate Aurora and to schedule appointments used a pixelated code that also enabled logging in via Facebook and then shared data with Facebook.

“Whenever a patient uses Advocate’s websites and applications, including its LiveWell portal, Advocate and Facebook intercept, contemporaneously cause transmission of, and use personally identifiable patient information and PHI without patients’ knowledge, consent, or authorization,” Alistair Stewart said in his complaint filed in Northern Illinois District Court last week. 

The case comes shortly after Advocate Aurora, based in Wisconsin and Illinois, issued a statement on October 21 on its website stating that a data breach had occurred. To remedy the breach, the hospital system has disabled the “pixel system.” The healthcare system also said it launched an internal investigation to understand what patient information was leaked.

Advocate Aurora, which currently has around 75,000 employees, including more than 22,000 nurses, and sees around 3 million patients, announced plans in May to merge with Atrium Health. The new organization will have a combined footprint across Illinois, Wisconsin, North Carolina, South Carolina, Georgia and Alabama. It will serve 5.5 million patients.

In his complaint requesting class-action status for all of those affected by the breach, Stewart is alleging that the healthcare system and Facebook were aware that personal information was not protected, violating HIPAA. Stewart claims that the way the “pixel” technology works, allowing third-party vendors to track patient browsing trends, shows that lack of data security Advocate Aurora had for its patients. 

“At all relevant times, Advocate and Facebook knew that the Meta Pixel intercepted and disclosed personally identifiable patient information and PHI,” Stewart said in the complaint. “This was evidenced from, among other things, the functionality of the Pixel, including that it enabled Advocate’s LiveWell portal to show targeted advertising to its digital subscribers based on the products those digital subscribers had previously viewed on the website, including certain medical tests or procedures, for which Advocate received financial remuneration,” Stewart said. 

The data breach could have affected 3 million patients, according to the Health and Human Services’ list of cases under investigation. 

In the news release Advocate issued October 21, the healthcare system said that a variety of sensitive patient information had been compromised. That included the type of appointment or procedure a patient had, communications between patients and physicians that took place on MyChart, medical record numbers, information about a patient’s insurance status, and more.

A spokesperson for Advocate Aurora told MedCity News via email, “We are not aware of any misuse of information arising from this incident.”

Advocate Aurora continued in a statement, “Like others in our industry, we have used internet tracking technologies to improve the consumer experience across our websites and encourage individuals to schedule necessary preventive care. We are thoroughly evaluating the information we collect and track. As part of this evaluation and out of an abundance of caution, we have turned off pixels and related analytics tools across our online properties.”

 The HHS list of ongoing investigations of healthcare data breaches shows how widespread the problem is, with new data breaches being reported nearly every day, and in a number of states. Although Advocate’s data breach was by far the largest in terms of the number of patients affected in the past month, several other data breaches in the past few weeks impacted hundreds of thousands of people each. 

For example, in North Carolina, a data breach at WakeMed Health and Hospitals affecting nearly 500,000 people was reported the same day as Advocate’s data breach. At Keystone Health in Pennsylvania, a data breach within the last month affected more than 235,000 people.

Meta did not immediately reply to requests for comment. 

Photo: JuSun, Getty Images