WakeMed has added itself to the long list of U.S. hospitals that have exposed their patients' medical data to a massive network of third parties, such as marketers and advertisers, by failing to properly configure the Meta Pixel tracker.
WakeMed is a 919-bed healthcare system that operates multiple facilities in North Carolina and an online patient portal called MyChart, which lets patients book doctor appointments, communicate with physicians, request medicinal prescriptions, etc.
As the medical institute disclosed earlier in the month, MyChart had a tracker from Meta (Facebook) named Pixel running even on pages beyond login screens, where patients entered sensitive personal and medical information.
Because these trackers can collect all data that website visitors enter in forms, some of the sensitive data entered by patients on the MyChart portal may have been sent outside WakeMed's systems.
Depending on the user's activity, the following data types might have been exposed:
- email address, phone number, and other contact information;
- computer IP address;
- emergency contact information;
- information provided during online check-ins, such as allergy or medication information;
- COVID vaccine status;
- appointment type and date and physician selected.
The period of exposure was determined between March 2018 and May 2022, when the healthcare system disabled Meta's trackers on all its pages to prevent further unintentional data leaks.
According to the organization's submission of the data breach details to the authorities, the number of confirmed impacted individuals is 495,808.
WakeMed says Social Security numbers or any form of financial information have not been exposed as a result of this privacy breach unless the users have entered this information into MyChart's free text box.
At this time, Meta has not specified whether or not it has received sensitive patient data from WakeMed's MyChart, and if it did, whether or not this data was disseminated to more third parties.
However, considering the automation that characterizes these systems, it would be improbable that the data hasn't reached an extensive network of marketing firms, partners of Meta.
The tech giant claims it uses blockers that intervene to filter out the sensitive details collected from platforms that didn't configure the tracker properly. However, this system has thus far remained more of a theoretical promise than a proven scheme.
Nation-wide breach
Unfortunately, the case of WakeMed isn't isolated, as MyChart is used by no less than 64 U.S. healthcare providers, some of which have already admitted similar patient data breaches.
Notable examples of institutes that admitted similar breaches include:
- UCSF Medical Center
- Dignity Health Medical Foundation
- Novant Health
- Advocate Aurora Health
Most of these hospitals claimed they were unaware of the proper configuration for Meta Pixel, indicating a lack of guidance from the tech giant and disregard for practical details that can lead to violations of people's privacy rights.
To protect yourself from trackers that log details entered into forms, you can take the following steps:
- Use a secure browser that has the ability to block ads and trackers (including social media trackers).
- Use a VPN to hide your IP address from third parties and achieve a higher level of online privacy. There are also some VPNs that offer VPN ad blocking features to block trackers and ad networks from collecting your data.
BoBeX
Great comments here.
Nothing to add, it has been said.
Riley Reid
Typical. What will it take for these people to secure customer data? Do they not learn anything from all these breaches?
Realist
Does the status quo care anymore about privacy and the warped mindset of Americans anymore? All they care about is driving a Tesla, what Musk has to say, creating anarchy and watching/posting TikTok videos.
Jumpy Tornado
Medical data is the most sensitive type of data. I believe as customers we should start to sue the organizations which are responsible for loss of customer data to malicious entities. And law should be enacted that organizations who fail to handle customer data should be fined.