A data breach at hospital system giant Advocate Aurora Health may have exposed the information of as many as 3 million patients who use its online patient portals and other tools, the system said.
Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, said exposed patient data may include IP addresses; dates, times, and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; information about patients’ provider; types of appointment or procedures; and communications between patients and others on MyChart.
Advocate Aurora said in a statement on its website that it has launched an internal investigation, and does not believe Social Security numbers, financial accounts, credit card or debit card information were leaked.
The system said the breach is unlikely to lead to identity theft or financial harm, and it’s seen no evidence of misuse of information or fraud.
The health system said that it uses outside vendors to track trends and preferences of its patients as they use its website. Those preferences are tracked through the use of “pixels,” which are pieces of code. Advocate Aurora said in the statement that it learned that pixels and similar technologies installed on its patient portals, as well as on some of its scheduling widgets, sent patient information to the vendors who supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, Advocate Aurora said.
Advocate Aurora has since disabled or removed the pixels, according to the statement.
“Advocate Aurora Health apologizes for the inconvenience that these technologies may have caused,” the system said.
Patients with questions about the breach may call 866-884-3206 from Monday through Friday from 7 a.m. to 7 p.m., and Saturday from 9 a.m. to 2 p.m.
The system reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights. Health systems must report breaches of protected health information involving 500 or more individuals to that office, which posts reports on a public website, nicknamed the Wall of Shame. The Office for Civil Rights investigates such breaches and can levy fines against health systems, depending on severity.
Data breaches have plagued hospital systems across the country for years, as hospitals try to keep up with ever-changing technologies, evolving cyber criminal activity and competing demands for their dollars and time.
