Meta Pixel and Novant Healthcare, New Privacy Concerns
August 25, 2022 | 4 minutes read
On August 22, 2022, U.S. healthcare provider Novant Health revealed that they had experienced a data breach that impacted more than 1 million individuals. This data breach was caused by the Meta Pixel ad tracking script, a “JavaScript tracking script that Facebook advertisers can add to their site to track advertising performance”. According to Novant Health, the Meta Pixel tool had accidentally collected the personal information of the millions of patients served by the healthcare provider, which first began in May of 2020, when Novant Health started running promotional campaigns for COVID-19 vaccinations on the organization’s Facebook page. Likewise, these campaigns utilized Facebook advertisements, as Novant Health had “added the Meta Pixel code to their site to measure how well the advertisements worked.”
As a result of these actions, a wide range of personal information was disclosed to the general public without proper authorization. More specifically, the categories of personal data that were disclosed during the course of the breach included email addresses, phone numbers, IP addresses, emergency contact information, appointment information, and portal menu selections, among other pertinent information. With all this being said, while the data breach that Novant Health recently sustained would appear to be one of the many of such events that occur on a virtually daily basis on the surface, the factors that influenced the breach are rooted in larger-scale privacy and data protection issues.
Targeted advertising
As is the case with many invasions of privacy that take place on a global scale, the ways in which businesses such as Meta use targeted advertising campaigns to drive revenue lie at the heart of the Novant Health data breach. To this point, the healthcare group was not hacked by a cybercriminal or bad actor, as the culprit in the attack was Meta’s own Pixel tool, due to the integration that this tool has with both Meta, as well as online websites that run targeted advertisements. As stated on Meta’s website, the Pixel tool is designed to “help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart.” However, due to the inherent nature of social media websites such as Facebook, there is a trove of personal data that the Pixel tool can also collect inadvertently when the tool is being used to engage in targeted advertising.
To illustrate this point further, the Novant Health data breach that took place this week is not the first time in 2022 that the Meta Pixel tool has been involved in some level of privacy infringement. For instance, a complaint filed in California federal court on August 10 by someone referred to as John Doe alleged that as many as 664 medical groups and healthcare facilities around the state had sent the medical information of their respective patients to Meta via the Pixel tool. What’s more, a similar complaint was filed by a Jane Doe in California in July of 2022, with this complaint stating that Meta’s Pixel tool effectively gives the company “the ability to surreptitiously gather every user interaction with the website ranging from what a user clicks on to the personal information entered on a website”.
HIPAA violations
Despite the fact that any data breach, irrespective of the scope and scale of such an incident, will invariably result in adverse consequences for many of the affected parties, Novant Health’s recent data breach also constitutes a violation of the Health Insurance Portability and Accountability Act (HIPAA). As the provisions of HIPPA mandate that healthcare providers safeguard the Protected Healthcare Information (PHI) of their numerous patients, any unauthorized access to such information is considered to be a violation of the law. This being the case, Novant Health stands to face monetary penalties and disciplinary actions in the months to follow due to its failure to protect the privacy of the multitude of patients they serve.
On the other hand, there is also an argument to be made that the data collection practices of Meta are in fact to blame for the data breach, as healthcare providers such as Novant Health likely did not consider that the Pixel tool could be used to facilitate a data breach. Subsequently, the provisions of HIPAA were established long before the rise of our current digital age, as the ways in which data breaches occur currently are different than the ways in which similar events have transpired in the past. As such, the law does not take into account the role that targeted advertising plays in the business world, much less the ways in which such business practices can result in privacy breaches.
While the details surrounding Novant Health’s recent data breach are still unfolding, the sheer number of people that had their personal information exposed is still very concerning. On top of this, the role that Meta played in the data breach occurring is equally concerning, as the line between delivering targeted advertising and protecting the personal privacy of consumers is extremely thin. For these reasons, healthcare providers such as Novant Health must do everything in their power to safeguard the medical information of their patients, as U.S. citizens can do very little to prevent tech companies such as Meta from essentially stealing their personal data without their consent.