Shop Plans

Advocate Aurora Health Exposes Data Of 3M Patients Because Of A Meta Pixel Tracker

Contents

Summary Of The Attack

  • Advocate Aurora Health, which is a 26-hospital healthcare system in Wisconsin and Illinois suffered a data breach that exposed the data of 3 million patients.
  • The issue most likely occurred due to an improperly implemented Meta Pixel tracker.
  • AAh is currently under investigation by the federal government.
  • The official advice to the users is to use web browsers’ trackers-blocking features or to use the incognito mode of the browser when logging in on medical portals.
.

What Happened?

Advocate Aurora Health, AAH, a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3 million patients. The data leakage happened due to the improper usage of Meta Pixel on Advocate Aurora Health’s websites, where patients could log in and enter sensitive medical and personal information.

What Is A Meta Pixel?

Meta Pixel is an analytical tool that allows you to track your website visitors’ activities.

This tool is known as the Facebook retargeting pixel, which is a snippet of code you can insert into the backend of your website and it helps drive and decode key performance metrics generated by a particular platform.

The way it works is by loading a small library of functions that you can use whenever a site visitor takes an action that you want to track.

You will also have options to reach those users again through future Facebook ads. It might be quite surprising that a pixel which is a tiny area on the display screen can also be used for online advertising.

A tracking pixel is a 1×1 graphic that is loaded each time a person checks the website that has the pixel implemented.

All this data should be encrypted and depersonalized if implemented correctly.

What Was The Impact?

This practice is against the data privacy rules of the United States and Aurora Advocate Health is already under investigation and its breach is publicly disclosed on the official site of the United States Department.

This could also lead to AAH being heavily penalized via class action lawsuits.

Free Security Policy Templates

Get a step ahead of your cybersecurity goals with our comprehensive templates.

Download Now
IT Security Policy Templates

How Did The Data Leak Happen?

Security researchers commenting on the data breach have stated that the main reason for the data breach of 3 million patient records was the poor implementation of the Meta Pixel.

They stated that generally, pixels do not collect the level of information that was disclosed in the data breach which indicates that the implementation must have been done quite poorly and without the approval of information security teams to cause sensitive PHI to be disclosed to third parties.

The initial analysis that was conducted by the Advocate Aurora Health’s investigation team showed that data such as:

  • IP address.
  • Dates and times of scheduled appointments.
  • Patient’s medical history.
  • Proxy account information.

Advocate Aurora Health’s Response

Currently, the Pixel tracker has been disabled on all systems as notified by Advocate Aurora Health and they have implemented safeguards to prevent something similar like this from happening again.

However, the damage from the current data breach has already been done and the 3 million patient data have already been exposed.

Their official advice to the users is to use web browsers’ trackers-blocking features or to use the incognito mode of the browser when logging in on medical portals.

This should pose a wake-up call for organizations to comprehend the risk they are undertaking when powering their web applications with tracking tools, especially from third-party vendors.

They are not only exposing their patients’ data but also are putting themselves in a situation to face class action lawsuits and fines.

Article by

Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Linkedin
Picture of Jason Firch, MBA
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.

Share This Article

Our Editorial Process

Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.

Categories

AI Security

Cybersecurity Strategy

General Cybersecurity

Network Security

Penetration Testing

Ransomware

Recent Cyber Attacks

Small Business

Social Engineering

Vulnerability Management

The Breach Report

Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.

Learn More

Related Breaches

PurpleSec

Get Secure Today.

Founded in 2019, PurpleSec is a veteran-owned cybersecurity company with a mission to help SMBs and startups affordably meet their security requirements.

Explore The Savings

Our Solutions

Virtual CISO

Defiance XDR

Social Engineering

Vulnerability Mgmt

Penetration Testing

Contact Us

Why PurpleSec?

About Us

Case Studies

How We Work

Our Leadership

Our Mission & Values

Linkedin Youtube Twitter

Learn With PurpleSec

Blog

Podcasts

Recent Cyber Attacks

Cybersecurity Insights

View All Resources