Novant warns more than 1 million customers it may have sent their health info to Facebook

Novant Health sent more than a million letters to patients saying that sensitive information may have been shared with Facebook parent company Meta through the hospital system’s use of a digital tracker tool.

The healthcare provider sent approximately 1.3 million letters, a Novant spokeswoman confirmed to The Charlotte Observer on Thursday.

The tool, known as Meta Pixel or Facebook Pixel, is a snippet of code that tracks website visitor activity. It was revealed earlier this summer that Novant, along with several other N.C. hospital systems, had sent patient information to Meta through their use of the tool.

“We want to be as transparent as possible,” Novant said in the letter to patients, a copy of which was obtained by the Observer. “Novant is taking this situation very seriously, and we apologize for the concern this situation may have caused you.”

Novant sent out several versions of the letters, which were tailored to patients, the spokeswoman said.

According to the letter, the following information could have been transmitted to Facebook:

• Email and phone number

• IP address

• Contact information entered into emergency contacts or advanced care planning

• Appointment type and date

• Physician

• Button and menu selections

• Content typed

Information affected did not include social security numbers or other financial information, according to a page about the incident on Novant’s website.

Several independent physician practices use MyChart in partnership with Novant Health. Patients at those practices, even if they’re not Novant patients, may also have been affected by the leak.

If a patient didn’t receive a letter, and they have an accurate address on file with Novant, it means their information was not shared with Meta, according to the Novant website.

How it happened

In June, nonprofit newsroom The Markup reported that 33 of the nation’s top 100 hospitals were sharing patient data with Facebook and parent company Meta through their use of Meta Pixel.

That included Novant, Atrium Health Carolinas Medical Center and two more of the largest healthcare systems in North Carolina.

In the letter to patients and on its website, Novant said its use of Meta Pixel had its roots in a May 2020 promotional campaign.

The healthcare system advertised the Novant Health MyChart patient portal on Facebook to improve access to virtual care during the pandemic. It placed Meta Pixel on the Novant Health website to track the campaign’s success.

But the pixel was configured incorrectly, Novant said, and may have allowed certain private information to be transmitted to Meta from Novant’s website and MyChart portal.

As soon as Novant became aware of the potential leak, it immediately disabled and removed the pixel and started looking into the issue, the system told patients in the letter. On June 17, it determined that sensitive information may have been disclosed to Meta.

What happens now?

It’s unclear what, if anything, Facebook does with information from the hospitals. The company claims to filter out sensitive health information before it reaches the ads system, but concerns have been raised about how well those filters work.

Meta’s policies prohibit collecting personal health information, and Pixel is supposed to filter out that information, a spokesperson told The Markup. But in the case of the 33 hospitals, health information may have been shared. And federal law requires that personal health data be kept confidential.

Novant said in the letter that it doesn’t have any evidence that Meta or any other third party acted on the personal information.

The system says it has implemented “more structure, governance and policies” around the use of pixels, the letter said. “(We) promise that we will take appropriate actions to ensure that this does not happen again.”