An Illinois man is suing Advocate Aurora Health and Facebook after the hospital system disclosed that it may have exposed the information of as many as 3 million patients who use its online patient portals and other tools.
The lawsuit seeks class action status and was filed in U.S. District Court for the Northern District of Illinois on Friday against the hospital system and Meta Platforms. It alleges that Advocate Aurora and Facebook violated the law as well as various privacy rights.
Advertisement
“Advocate discloses its patients’ personally identifiable patient information and PHI (personal health information) to Facebook together in a single transmission,” according to the lawsuit, filed by Illinois resident Alistair Stewart. “This transmission occurs even though patients have not shared (nor consented to share) such information.”
A spokesman for Advocate Aurora did not immediately respond to a request for comment Monday afternoon.
Advertisement
Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, recently posted a notice on its website citing pixel technology as the cause of the breach. The pixels are pieces of code that organizations can use to track how consumers use their websites and applications.
Advocate Aurora said in a recent statement that it learned that pixels and similar technologies installed on its patient portals, as well as on some of its scheduling widgets, sent patient information to the outside vendors who supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, Advocate Aurora said.
The hospital system has since disabled or removed the pixels, according to the previous statement.
Advocate Aurora has said that exposed data may have included IP addresses; dates, times, and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; information about patients’ provider; types of appointment or procedures; and communications between patients and others on MyChart.
The hospital system said it has launched an internal investigation, and does not believe Social Security numbers, financial accounts, credit card or debit card information were leaked. The system said the breach is unlikely to lead to identity theft or financial harm, and it’s seen no evidence of misuse of information or fraud.
With the lawsuit, Advocate Aurora joins a growing list of hospital systems being sued over their use of pixel technology. Locally, Rush University System for Health and Northwestern Memorial Hospital are also facing lawsuits.
The new lawsuit seeks damages and other relief.
Advocate Aurora has also reported its breach to the U.S. Department of Health and Human Services Office for Civil Rights. Health systems must report breaches of protected health information involving 500 or more individuals to that office, which posts reports on a public website, nicknamed the Wall of Shame. The Office for Civil Rights investigates such breaches and can levy fines against health systems, depending on severity.