Security Insights / Data Breaches / Advocate Aurora Health Data Leak

Advocate Aurora Health Exposes Data Of 3M Patients Because Of A Meta Pixel Tracker

Q: What Happened?

Advocate Aurora Health, AAH, a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3 million patients. The data leakage happened due to the improper usage of Meta Pixel on Advocate Aurora Health’s websites, where patients could log in and enter sensitive medical and personal information.

Q: Who Was Impacted?

Advocate Aurora Health's practice is against the data privacy rules of the United States and Aurora Advocate Health is already under investigation and its breach is publicly disclosed on the official site of the United States Department.

Q: How Did The Data Leak Happen?

Security researchers commenting on the data breach have stated that the main reason for the data breach of 3 million patient records was the poor implementation of the Meta Pixel. They stated that generally, pixels do not collect the level of information that was disclosed in the data breach which indicates that the implementation must have been done quite poorly and without the approval of information security teams to cause sensitive PHI to be disclosed to third parties.

Learn how PurpleSec’s experts can protect your business against the latest cyber attacks.

Author: Eva Georgieva / Last Updated: 10/26/2022

Reviewed By: Dalibor Gašić, & Michael Swanagan, CISSP, CISA, CISM

View Our: Editorial Process

Table Of Contents

What Happened?
What Was The Impact?
How Did The Data Leak Happen?
Advocate Aurora Health’s Response

Summary Of The Attack

Advocate Aurora Health, which a 26 hospital healthcare system in Wisconsin and Illinois suffered a data breach which exposed data of 3 million patients.
The issue most likely occurred due to improperly implemented Meta Pixel tracker.
AAh is currently under investigation from the federal government.
The official advice to the users is to use web browsers’ trackers-blocking features or to use the incognito mode of the browser when logging in on medical portals.

What Happened?

Advocate Aurora Health, AAH, a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3 million patients. The data leakage happened due to the improper usage of Meta Pixel on Advocate Aurora Health’s websites, where patients could log in and enter sensitive medical and personal information.

What Is A Meta Pixel?

Meta Pixel is an analytical tool that allows you to track your website visitors activities.

This tool informally is known as the Facebook retargeting pixel, which is basically a snippet of code you can insert into the backend of your website and it helps drive and decode key performance metrics generated by a particular platform.

The way it works is by loading a small library of functions that you can use whenever a site visitor takes an action that you want to track.

You will also have options to reach those users again through future Facebook ads.

It might be quite surprising that a pixel which is a tiny area on the display screen can also be used for online advertising.

A tracking pixel is basically a 1×1 graphic that is loaded each time a person checks the website that has the pixel implemented.

All this data should be encrypted and depersonalized if implemented correctly.

What Was The Impact?

This practice is against the data privacy rules of the United States and Aurora Advocate Health is already under investigation and its breach is publicly disclosed on the official site of the United States Department.

This could also lead to AAH being heavily penalized via class action lawsuits.

How Did The Data Leak Happen?

Security researchers commenting on the data breach have stated that the main reason for the data breach of 3 million patient records was the poor implementation of the Meta Pixel.

They stated that generally, pixels do not collect the level of information that was disclosed in the data breach which indicates that the implementation must have been done quite poorly and without the approval of information security teams to cause sensitive PHI to be disclosed to third parties.

The initial analysis that was conducted by the Advocate Aurora Health’s investigation team showed that data such as:

IP address
Dates and times of scheduled appointments
Gist of patient’s medical history
Proxy account information

Advocate Aurora Health’s Response

Currently, the Pixel tracker has been disabled on all systems as notified by Advocate Aurora Health and they have implemented safeguards to prevent something similar like this from happening again.

However, the damage from the current data breach has already been done and the 3 million patient data have already been exposed.

Their official advice to the users is to use web browsers’ trackers-blocking features or to use the incognito mode of the browser when logging in on medical portals.

This should pose a wake-up call for organizations to comprehend the risk they are undertaking when powering their web applications with tracking tools, especially from third-party vendors.

They are not only exposing their patients’ data but also are putting themselves in a situation to face class action lawsuits and fines.

Related Articles