RALEIGH, NC (WNCN) – Nearly half a million people may have been affected by a data incident that occurred when confidential patient information stored by WakeMed was shared with Facebook by a marketing tool.
Between March 2018 and May 2022, 495,000 people accessed WakeMed’s MyChart patient portal or booked a doctor’s appointment. WakeMed sent a letter to these patients informing them that Facebook may have obtained personal medical information as part of a tracking initiative.
“Facebook went beyond what they were doing beyond just tracking that you were there,” said cybersecurity expert Rob Downs of Managed IT Solutions in Raleigh. “They were also tracking what data you might have entered at that time.”
WakeMed explained to CBS 17 what led to the data incident.
It used a Facebook pixel on its MyChart website that was supposed to track data anonymously.
IT pros say tracking pixels are used by many organizations to create retargeted ads
“As you browse through Facebook, ads appear for certain places you’ve been, that’s the purpose of the Facebook pixel,” Downs said.
The hospital told industry reporter Steve Sbraccia that it was made aware of the data leak in May.
It says the creators of MyChart, Epic Systems, informed WakeMed that the pixel may also have conveyed “allergy or medication information; COVID vaccination status; information about upcoming appointments, such as the type and date of the appointment, and the doctor selected. »
This happened within the last four years and all of this potentially transmitted information is HIPAA Protected.
“It’s the hospital’s responsibility to make sure the data remains secure,” Downs said. “They should have done more research on what was leaving the website.”
The hospital said that when it found out what was going on, it disabled the pixel in May, but did not send the notification letter until October 11 because it was conducting “extensive forensic research to try to determine what information, if any, may have been transmitted and who may have been affected.
Hospital says it has no plans to use the Facebook tracking pixel until it can be assured of its integrity and is making changes to improve privacy to prevent future mishaps of data.
“There’s not much you can do,” Downs said. “The hospital has taken corrective action. Anything beyond that should be at the federal or state level to reprimand Facebook for taking more data than it should have.
WakeMed believes that Facebook, along with its parent company Meta and associated third parties, has not misused any patient information they may have obtained in any of their advertising programs.
The hospital has also created a special webpage to deal with the pixel situation which you can access here.