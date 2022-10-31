ContributorsPublishersAdvertisers
Illinois State

Advocate hospital system sued over data breach that may have affected 3 million patients

By Lisa Schencker, Chicago Tribune
 3 days ago
Advocate Illinois Masonic Medical Center on March 25, 2022. An Illinois man is suing Advocate Aurora Health and Facebook after the hospital system disclosed that it may have exposed the information of as many as 3 million patients who use its online patient portals and other tools. Jose M. Osorio/Chicago Tribune/TNS

An Illinois man is suing Advocate Aurora Health and Facebook after the hospital system disclosed that it may have exposed the information of as many as 3 million patients who use its online patient portals and other tools.

The lawsuit seeks class action status and was filed in U.S. District Court for the Northern District of Illinois on Friday against the hospital system and Meta Platforms. It alleges that Advocate Aurora and Facebook violated the law as well as various privacy rights.

“Advocate discloses its patients’ personally identifiable patient information and PHI (personal health information) to Facebook together in a single transmission,” according to the lawsuit, filed by Illinois resident Alistair Stewart. “This transmission occurs even though patients have not shared (nor consented to share) such information.”

Advocate Aurora said in a statement Monday afternoon, “We take patient privacy very seriously, employ robust internal controls to protect patient data and are committed to compliance with all laws applicable to our operations.”

Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, recently posted a notice on its website citing pixel technology as the cause of the breach. The pixels are pieces of code that organizations can use to track how consumers use their websites and applications.

Advocate Aurora said in a recent statement that it learned pixels and similar technologies installed on its patient portals, as well as on some of its scheduling widgets, sent patient information to the outside vendors that supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, Advocate Aurora said.

Advocate Aurora has said that exposed data may have included IP addresses; dates, times, and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; information about patients’ provider; types of appointment or procedures; and communications between patients and others on MyChart.

The hospital system said it has launched an internal investigation and does not believe Social Security numbers, financial accounts, credit card or debit card information were leaked. The system said the breach is unlikely to lead to identity theft or financial harm and it’s seen no evidence of misuse of information or fraud.

“Like others in our industry, we have used internet tracking technologies to improve the consumer experience across our websites and encourage individuals to schedule necessary preventive care,” the hospital system said in a statement. “We are thoroughly evaluating the information we collect and track. As part of this evaluation and out of an abundance of caution, we have turned off pixels and related analytics tools across our online properties.”

With the lawsuit, Advocate Aurora joins a growing list of hospital systems being sued over their use of pixel technology. Locally, Rush University System for Health and Northwestern Memorial Hospital are also facing lawsuits.

The new lawsuit seeks damages and other relief.

Advocate Aurora has reported its breach to the U.S. Department of Health and Human Services Office for Civil Rights. Health systems must report breaches of protected health information involving 500 or more individuals to that office, which posts reports on a public website, nicknamed the Wall of Shame. The Office for Civil Rights investigates such breaches and can levy fines against health systems, depending on severity.

