In response to reports that Advocate Aurora Health, a 26-hospital healthcare system in Wisconsin and Illinois, is notifying its patients of a data breach that exposed the personal data of 3,000,000 patients, experts at cybersecurity firms offer the following comments.

This is clear evidence that the implementation of new technologies, no matter how simple, needs to be vetted and approved by an organization’s information security and privacy teams. Generally, pixels do not collect this level of information that was disclosed in this data breach. The implementation must’ve gone extremely poorly to cause sensitive PHI to be disclosed to a third party—which means something was very broken in the implementation process. It’s great that they caught this, but with 3 million patient records being disclosed, it’s a little too late. Every website you visit contains some kind of tracking pixel, including news sites, SaaS apps, patient portals, banking portals, and so on. There are likely hundreds, if not thousands, of tracking pixel implementations that have gone awry but have not yet been identified. It is critical that all organizations take tracking technology implementation seriously and conduct audits to ensure that they are working as intended and not sending extremely sensitive data to third parties who may use that information for their own purposes.
The Meta Pixel data leak is generating a wave of consumer privacy suits, first around digital video consumption, now around healthcare data and most likely a list of other industries to come. The incident points out the difficulty – and the necessity – for organizations to understand their risk from third-party vendors powering their web applications. Healthcare providers and payers face a double jeopardy from class action lawsuits and fines from the federal government for HIPAA violations. Quantifying an organization’s risk in financial terms gives the clearest picture. Based on industry statistics for the frequency and magnitude of cyber events and using the principles and techniques of FAIR™ (Factor Analysis of Information Risk), we can estimate that a typical healthcare organization has an 18% chance yearly of a data breach attributed to a web application cyber event with a probable cost of $47 million, including fines and judgments, incident response and other costs.