Advocate Aurora Health

Advocate Aurora Health Data Breach Affects Up to 3M Patients: Cybersecurity Trends

Yet another story which illustrates the importance of Cybersecurity Awareness Month! Advocate Aurora Health reported a data breach that could affect up to 3 million patients!

According to Fierce Healthcare (Advocate Aurora says 3M patients’ health data possibly exposed through tracking technologies, written by Annie Burky), Advocate Aurora Health gave notice to patients that their health data may have been exposed through internet tracking technologies from Facebook and Google.

Advocate Aurora Health is a 27-hospital healthcare system in Wisconsin and Illinois with over 500 sites of care and $14 billion in annual revenue.


Up to 3 million patients may have been impacted in the breach against the health system, which is one of the Chicago area’s largest healthcare providers.

Advocate Aurora explained in a statement on its website that through the use of internet tracking technologies certain interactions on the provider’s website were leaked. The technologies from companies like Google and Facebook’s parent company Meta put pieces of code, called pixels, on certain websites and applications.

“These pixels or similar technologies were designed to gather information that we review in aggregate so that we can better understand patient needs and preferences to provide needed care to our patient population,” the health system said in the online statement. “We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology.”

The health system said it has disabled and/or removed the pixels from its platforms and launched an internal investigation to better understand what patient information was transmitted to third-party vendors.

“Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health’s platforms, may have been affected,” Advocate Aurora Health officials wrote in the statement.

Sensitive information including IP address, physical location, name and protected health information may have been exposed for the 3 million patients in question. While the investigation will reveal the extent of the breach, Advocate Aurora wrote in the related statement that it believes Social Security numbers, financial accounts and credit card or debit card information were not involved in this incident.

This isn’t the first instance of pixels being used to collect data from healthcare websites: A long string of complaints and lawsuits against hospitals and Meta for collecting data on hospital websites has included UCSF Medical Center, Dignity Health, Northwestern Memorial Hospital and Baltimore’s Medstar Health System. Litigants claim that the data acquired violates the Health Insurance Portability and Accountability Act (HIPAA).

The battle of personal data collection (including healthcare data) vs. personal data privacy wages on. Looks like those tracking pixels are bad for your health…care data! See what I did there!

So, what do you think? Should all healthcare sites drop the use of tracking pixels?  Please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the authors and speakers themselves, and do not necessarily represent the views held by my employer, my partners or my clients. eDiscovery Today is made available solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Today should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.


  1. OK, news flash: it’s not just healthcare sites using of tracking pixels. A tracking pixel is an HTML code snippet which is loaded when a user visits a website or opens an email. It is used by almost every site you visit for tracking user behavior and conversions. With a tracking pixel, advertisers can acquire data for online marketing, web analysis or email marketing. With log file analysis, by using long data evaluation or using scores of appropriate analytical tools, this data can be used for 100s of different purposes. It is the same with the “cybersecurity software” used in legaltech document review. A gift to hackers. Porous as hell. More on that later. It’s why we keep saying data privacy is dead dead dead.

    We really need to stop thinking about it in terms of a solution to the cybersecurity problem, because we’ll never “solve” it. We can only manage it. If we think of it as a risk management problem that you can reduce the risk of, and companies apply all of the same tools that they use to manage their risk of brand damage or legal … you know, litigation … they can use those same tools to drive down their cyber risk. It’s a no brainer.

    But, alas, as Greg has pointed out numerous times, it is the same old story. Software developers don’t have a choice anymore (they tried way early on but the bean counters slayed them). Speed becomes a business imperative for survival and to stay competitive. Software development is in this grinding environment. Forces always seem to be pulling in opposite directions, between management, client, and developer ideologies. We have developed a culture of “agility” without always retaining the appropriate balance with quality and security. We should – but never will – look back to basics and ensure fundamental steps in development, even if accelerated.

Leave a Reply