Meta Pixel and Novant Healthcare, New Privacy Concerns

August 25, 2022 | 4 minutes read
Meta Pixel and Novant Healthcare, New Privacy Concerns

On August 22, 2022, U.S. healthcare provider Novant Health revealed that they had experienced a data breach that impacted more than 1 million individuals. This data breach was caused by the Meta Pixel ad tracking script, a “JavaScript tracking script that Facebook advertisers can add to their site to track advertising performance”. According to Novant Health, the Meta Pixel tool had accidentally collected the personal information of the millions of patients served by the healthcare provider, which first began in May of 2020, when Novant Health started running promotional campaigns for COVID-19 vaccinations on the organization’s Facebook page. Likewise, these campaigns utilized Facebook advertisements, as Novant Health had “added the Meta Pixel code to their site to measure how well the advertisements worked.”

As a result of these actions, a wide range of personal information was disclosed to the general public without proper authorization. More specifically, the categories of personal data that were disclosed during the course of the breach included email addresses, phone numbers, IP addresses, emergency contact information, appointment information, and portal menu selections, among other pertinent information. With all this being said, while the data breach that Novant Health recently sustained would appear to be one of the many of such events that occur on a virtually daily basis on the surface, the factors that influenced the breach are rooted in larger-scale privacy and data protection issues.

Targeted advertising

As is the case with many invasions of privacy that take place on a global scale, the ways in which businesses such as Meta use targeted advertising campaigns to drive revenue lie at the heart of the Novant Health data breach. To this point, the healthcare group was not hacked by a cybercriminal or bad actor, as the culprit in the attack was Meta’s own Pixel tool, due to the integration that this tool has with both Meta, as well as online websites that run targeted advertisements. As stated on Meta’s website, the Pixel tool is designed to “help you better understand the effectiveness of your advertising and the actions people take on your site, like visiting a page or adding an item to their cart.” However, due to the inherent nature of social media websites such as Facebook, there is a trove of personal data that the Pixel tool can also collect inadvertently when the tool is being used to engage in targeted advertising.

To illustrate this point further, the Novant Health data breach that took place this week is not the first time in 2022 that the Meta Pixel tool has been involved in some level of privacy infringement. For instance, a complaint filed in California federal court on August 10 by someone referred to as John Doe alleged that as many as 664 medical groups and healthcare facilities around the state had sent the medical information of their respective patients to Meta via the Pixel tool. What’s more, a similar complaint was filed by a Jane Doe in California in July of 2022, with this complaint stating that Meta’s Pixel tool effectively gives the company “the ability to surreptitiously gather every user interaction with the website ranging from what a user clicks on to the personal information entered on a website”.

HIPAA violations

Despite the fact that any data breach, irrespective of the scope and scale of such an incident, will invariably result in adverse consequences for many of the affected parties, Novant Health’s recent data breach also constitutes a violation of the Health Insurance Portability and Accountability Act (HIPAA). As the provisions of HIPPA mandate that healthcare providers safeguard the Protected Healthcare Information (PHI) of their numerous patients, any unauthorized access to such information is considered to be a violation of the law. This being the case, Novant Health stands to face monetary penalties and disciplinary actions in the months to follow due to its failure to protect the privacy of the multitude of patients they serve.

On the other hand, there is also an argument to be made that the data collection practices of Meta are in fact to blame for the data breach, as healthcare providers such as Novant Health likely did not consider that the Pixel tool could be used to facilitate a data breach. Subsequently, the provisions of HIPAA were established long before the rise of our current digital age, as the ways in which data breaches occur currently are different than the ways in which similar events have transpired in the past. As such, the law does not take into account the role that targeted advertising plays in the business world, much less the ways in which such business practices can result in privacy breaches.

While the details surrounding Novant Health’s recent data breach are still unfolding, the sheer number of people that had their personal information exposed is still very concerning. On top of this, the role that Meta played in the data breach occurring is equally concerning, as the line between delivering targeted advertising and protecting the personal privacy of consumers is extremely thin. For these reasons, healthcare providers such as Novant Health must do everything in their power to safeguard the medical information of their patients, as U.S. citizens can do very little to prevent tech companies such as Meta from essentially stealing their personal data without their consent.

Related Reads

Sensitive Information, Protected: Patient Privacy, HIPAA, And You
August 30, 2023 | 4 minutes read
Sensitive Information, Protected: Patient Privacy, HIPAA, And You

HIPAA compliance ensures patient privacy. Often making the consequences of non-compliance severe, so how do you avoid that?

Learn More »
Protecting Privacy in the Healthcare Field: PII, PHI & PCI
July 12, 2023 | 5 minutes read
Protecting Privacy in the Healthcare Field: PII, PHI & PCI

Healthcare professionals handle a wide range of sensitive data that is crucial for delivering quality care. But protecting that data is getting harder.

Learn More »
Using Redaction for Privacy Maintenance as An Investigator
May 31, 2023 | 5 minutes read
Using Redaction for Privacy Maintenance as An Investigator

These oaths emphasize upholding the law, serving the public, and protecting the rights of individuals. One of these many rights is privacy. An investigator must adhere to the legal and ethical guidelines within the jurisdiction and perform their investigation within those specifically set boundaries.

Learn More »
The Comprehensive Policing and Justice Reform Emergency Amendment Act
May 15, 2023 | 6 minutes read
The Comprehensive Policing and Justice Reform Emergency Amendment Act

An “Amendment Act” is what describes legislation that can alter existing laws instead of producing a new law from the ground up. The Comprehensive Policing and Justice Reform Emergency Amendment Act is a standalone emergency legislation passed by the D.C council in June of 2020 amending some existing laws relating to justice reform and policing.

Learn More »
Barcodes, A Sick Wife, and Long Lines Made it Happen
April 24, 2023 | 5 minutes read
Barcodes, A Sick Wife, and Long Lines Made it Happen

Problems of Yesteryear Imagine receiving news that your spouse, who is away on a business trip, is very ill. To make matters worse, the way the news was delivered to you took days for you to receive it, and by the time you acknowledged the fact, your spouse had already passed away. This was Samuel […]

Learn More »
How Important Is Your Privacy to You?
April 04, 2023 | 8 minutes read
How Important Is Your Privacy to You?

If your information is ever being shared, ask what redaction method was used. Did they redact manually by hand or with software? Do they utilize a redaction software that prioritizes redaction and uses AI features like CaseGuard Studio, or did they use software that only has redaction as a secondary feature, like Adobe? These are important questions because they can reveal the quality of the redaction used to protect you. Your safety and privacy are essential, don’t be afraid to take action to secure them.

Learn More »