Posted on October 22, 2022 at 4:49 AM

Advocate Aurora Health (AAH) Announces Data Breach With 3 Million Patients Affected

Advocate Aurora Health (AAH) has become the latest health institution to suffer a data breach after the records of 3 million patients were exposed.

The hospital healthcare system, based in Illinois and Wisconsin, is now informing the affected patients of a data breach on its system and networks. The breach may have exposed the personal and financial data of the patients.

The incident was a result of the incorrect use of Meta Pixel on AAH’s websites which contains patients’ medical and sensitive information.

As a JavaScript tracker, Meta Pixel enables website operators to know how visitors to the site interact with the platform. This helps them to make targeted improvements.

Apart from that primary role, the tracker also delivers vital data to Meta, which could be shared among other networks of marketers that advertise their products using those specific patient details.

More Patients Could Be Affected

The repercussion of this breach could go beyond the expected because Meta Pixel is used by several hospitals in the U.S. Its broader impact could be the exposure of millions of people to third parties. Additionally, the nature of the breach could spark class action lawsuits against the organizations held liable for the incident.

According to the healthcare system’s notification, the information that may have been exposed include medical provider information, proximity to an AAH location, type of procedure or appointment, IP address, as well as locations, dates, and times of scheduled appointments.

Other information includes proxy account information, insurance information, and details of communication between MyChart users.

AAH noted that the incidence has also been listed on the U.S. Department of Health breach report portal.

However, to avoid any further issues, AAH has disabled the Pixel tracker on all systems. The healthcare provider is also implementing safeguards that will prevent any further exposure on the website. In situations like this, hackers can take advantage to find loopholes that they can exploit. But AAH has assured users and patients that it has already installed strong security checks to repel those attacks.

Patients Have Been Advised On Security

Patients have been advised to use incognito mode or use their web browsers’ tracker-blocking features when logging in on medical portals. Additionally, those with Google or Facebook accounts should review their privacy settings.

The healthcare provider has also provided a FAQ page to enable patients to find answers to questions they may have about the breach and security measures.

The breach on AAH comes only a year after the southeast Florida health system disclosed that it was hit by a distributed denial of services (DDoS) attack. The healthcare system operates more than 30 healthcare locations in Broward County.

The attack occurred on October 15, 2021, after a threat actor gained unauthorized access to the hospital’s network, and gained access to patients’ data in the process. According to the report posted on the health system’s website, the attack came through a third-party medical provider

The health system revealed that it discovered the attack four days later, and took measures to contain the incident. It also reported to the Department of Justice (DoJ) and the FBI for further investigation on the matter.

More Health Care Centers Suffer Breach

The recent attack is evidence that healthcare providers are increasingly getting targeted.

In a recent development, Pennsylvania-based Keystone Health recently announced that the data of 235,237 patients were accessed for close to a month in an undetected hack on August 19, 2022. The breach was first discovered when the provider’s computer systems were temporarily disrupted. The situation was reported to law enforcement and an investigation into the incident was launched.

The results of the investigation showed that the hacker first accessed the network on July 28. While in the system, the threat actors had access to patient data such as clinical details and Social Security numbers.

But not all data exposures in the healthcare system have been a result of cyber attacks.  Earlier in August, U.S. healthcare provider Novant Health announced that 1.3 million patients were exposed due to improper use of Meta Pixel in its implementation of the “MyChart” portal.

The “MyChart” patient portal is also utilized by both “LiveWell” and AAH, both of which had active Meta Pixel trackers.

AAH noted that certain protected health information (PHI) can be exposed in certain circumstances when patients use Advocate Aurora Health patient portals available through LiveWell and MyChart platforms. AAH added that the situation affects those users who are logged into their Google or Facebook accounts.