WakeMed Reports Meta Pixel-Related Breach Impacting 495,000 People

The health system of WakeMed Health and Hospitals operates several medical facilities in Raleigh, NC. It recently informed approximately 495,000 of its patients about the potential impermissible disclosure of some of their protected health information (PHI) to Meta/Facebook because of adding the Meta Pixel tracking code on its webpage.

The health system announced the privacy violation on October 14, 2022. WakeMed explained that in March 2018, it initially put the Meta Pixel code on its website and MyChart patient portal. The purpose of the code is to collect data on the activity of users on websites, which is accomplished by using cookies. WakeMed stated the code was also used for website optimization and for better connection of members using the MyChart patient portal, which in turn improves their access to medical care and the WakeMed website.

Like numerous healthcare systems, WakeMed discovered that the snippet of JavaScript code not only monitors user activity but also sends information to Meta/Facebook, which possibly consists of sensitive patient data and data allowing patient identification. As per WakeMed, that data contained details input by patients on the appointment booking page and in the MyChart patient portal.

The types of data sent vary according to the patients’ activities on the web page, their usage of forms, and the information chosen or given when booking appointments. WakeMed stated the data sent to Meta/Facebook possibly included at least one of these: IP address, email address, telephone number, other contact details, emergency contact data, details given while doing online check-in (for example, allergy or medication details), COVID vaccine status, data concerning a scheduled appointment (for example, appointment type and date, doctor chosen, and button/menu options), and any data put into free text boxes.

WakeMed stated its investigation cannot establish if Meta or Facebook gathered or utilized any of the data sent by the Meta Pixel code. According to Meta’s previous statement, when it identifies any data it isn’t permitted to obtain, the data won’t be utilized or given to third parties for uses like offering targeted ads. Several lawsuits were filed against other healthcare companies that state targeted ads were offered to utilize Meta Pixel-gathered information.

WakeMed mentioned that after knowing about the problem, it removed the Meta Pixel code from its web page in May 2022. It has no plans of further using the code except if it can be affirmed that there’s no possibility of transmitting sensitive information. Guidelines and procedures were also enforced concerning the extensive evaluations of code prior to including it to its website to avoid the same cases later on. The North Carolina Attorney General has started investigating the incident.

WakeMed, together with, Aurora Advocate Health and Novant Health has sent notifications to people concerning the impermissible disclosures of PHI because of the Meta Pixel and other monitoring codes and, this is not likely to be the final statement by a healthcare company. The Markup/STAT conducted a study involving the top 100 hospitals in the United States and discovered that 33% had added the Meta Pixel code on their web pages.