An Illinois man is suing Advocate Aurora Health and Facebook after the hospital system revealed it may have disclosed the information of up to 3 million patients using its online patient portals and other tools.
The lawsuit, which seeks class-action status, was filed Friday in the US District Court for the Northern District of Illinois against the hospital system and Meta Platforms. It accuses Advocate Aurora and Facebook of violating the law and various privacy rights.
“Advocate shares its patients’ personally identifiable patient information and PHI (personal health information) together in a single transmission to Facebook,” reads the lawsuit, which was filed by Alistair Stewart of Illinois. “This transfer occurs despite the fact that patients have not shared (or consented to the sharing of) such information.”
Attorney Aurora said in a statement Monday afternoon, “We take patient privacy very seriously, employ robust internal controls to protect patient information and are committed to complying with all laws applicable to our operations.”
Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, recently posted a notice on its website citing pixel technology as the cause of the breach. The pixels are pieces of code that businesses can use to track how consumers use their websites and applications.
Attorney Aurora said in a recent statement that he learned that pixels and similar technologies installed on his patient portals, as well as on some of his scheduling widgets, sent patient information to the outside vendors that supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, attorney Aurora said.
Attorney Aurora has said disclosed data may have included IP addresses; dates, times and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; Information about the patient’s provider; types of appointments or procedures; and communication between patients and others on MyChart.
The hospital system said it had launched an internal investigation and did not believe Social Security numbers, financial accounts, credit card or debit card information was leaked. The system said the breach is unlikely to result in identity theft or financial damage, and found no evidence of misuse of information or fraud.
“Like others in our industry, we have used internet tracking technologies to enhance the consumer experience on our websites and to encourage individuals to plan for the necessary screening,” the hospital system said in a statement. “We thoroughly evaluate the information we collect and track. As part of this assessment and as a precaution, we have disabled pixels and associated analytics tools on our online properties.”
With the lawsuit, Advocate Aurora joins a growing list of hospital systems being sued for their use of pixel technology. Locally, the Rush University System for Health and Northwestern Memorial Hospital are also facing lawsuits.
The new lawsuit seeks damages and other relief.
Attorney Aurora has reported her violation to the US Department of Health and Human Services’ Office of Civil Rights. Healthcare systems must report breaches of protected health information involving 500 or more people to this office, which publishes reports on a public website nicknamed the Wall of Shame. The Office of Civil Rights investigates such violations and may impose fines on healthcare systems, depending on the severity.