Novant Health notifies patients about possible data breach involving Facebook tracker

CHARLOTTE — At the height of the COVID-19 pandemic, Novant Health launched a promotion to encourage people to use an online patient portal; over a year later, that promotional campaign may have led to a data breach sending personal information to Facebook.

Novant sent a letter to patients that was obtained by Channel 9 on Thursday. The letter says in May 2020, the promotional campaign was launched for the Novant Health MyChart portal, with the goal of increasing virtual visits. Novant had placed advertisements on Facebook to point people to the health portal, and Novant utilized a Facebook tracking pixel to “understand the success of those advertisement efforts on Facebook.”

That pixel, Novant says, was “configured incorrectly and may have allowed certain private information to be transmitted to Meta (also known as Facebook) from the Novant Health website and MyChart portal.”

Novant says it learned about the potential to transmit information and launched an investigation. In June of this year, Novant Health “determined that it was possible sensitive information or PHI might have been disclosed to Meta depending upon a user’s activity” on the website.

Novant says the information “could have potentially included” the following items:

  • demographic information such as email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning
  • appointment type and date
  • physician selected
  • button/menu selections
  • content typed into free text boxes.

According to Novant, the information didn’t include Social Security numbers or other financial information.

Novant told Channel 9 that the breach affects patients from various states, not just North Carolina and South Carolina. Novant added that the system has stopped using the tracking pixel.

According to the Department of Health and Human Services, the breach impacted an estimated 1.3 million people.

Channel 9′s Tina Terry spoke with Lawrence Teo, the Founder and Vice President of Development at Caliptix Security and Ph.D. graduate in cybersecurity from UNC Charlotte, about the risk surrounding these types of trackers.

“The first thing is, before implementing it, I think they should do a really careful review of the tracking technology that they’re about to implement to see what kind of data that they are about to collect and just be really, really cautious to make sure they’re compliant with regulations and so forth,” said Teo

Tracking pixels are small invisible dots placed on a page, and they are common on many websites, but they don’t usually retain data. The primary purpose of a tracking pixel is for analytics reports and to count page views on websites. For example, WSOC-TV.com utilizes tracking cookies to keep track of what articles are trending, which cities’ residents are visiting our site, and which stories are receiving the most unique visitors.

New regulations require websites to include a pop-up notification asking for your consent to store bits of data called “cookies.”

You can also track the trackers -- tools like Cookie-Script will let you scan a website to see which trackers are being used, and what data is being tracked. Simply enter the website address and click “Scan Cookies” to see a list of what’s being used on that site.

(WATCH BELOW: Lawsuit claims Novant Health charged patent $2,000 visitation fee for ER visit)

Andrew McMillan, wsoctv.com

Andrew McMillan is the Digital Content Manager for WSOC-TV.