Advocate Aurora Health this week alerted its patients across Illinois and Wisconsin of a potential data breach involving tracking pixels in its online patient portal and mobile app.

According to a notice of data breach posted to the health system's website, Advocate Aurora enlists third-party vendors to help track and evaluate the "trends and preferences" of patients using its websites. That's done with pieces of code, called pixels, which were on some of the health system's websites or applications.

"We learned that pixels or similar technologies installed on our patient portals available through MyChart and LiveWell websites and applications, as well as on some of our scheduling widgets, transmitted certain patient information to the third-party vendors that provided us with the pixel technology," according to the notice.

That data may have included "IP address; dates, times, and/or locations of scheduled appointments; your proximity to an Advocate Aurora Health location; information about your provider; type of appointment or procedure; communications between you and others through MyChart, which may have included your first and last name and your medical record number; information about whether you had insurance; and, if you had a proxy MyChart account, your first name and the first name of your proxy," according to the health system.

"Based on our investigation, no social security number, financial account, credit card, or debit card information was involved in this incident," officials added.

In response, Advocate Aurora has "disabled and/or removed the pixels from our platforms and launched an internal investigation to better understand what patient information was transmitted to our vendors."

Health system officials said they don't know precisely how many patients might have been affected by the potential breach, but "out of an abundance of caution," it has "decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health's platforms, may have been affected."

But that number could be as high as 3 million patients, according to the list of cases currently under investigation on the HHS for Civil Rights Breach Portal.

The Advocate Aurora notice also alerts its patients that different users may have been affected in different ways, depending on "their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user."

In a separate FAQ on its website, Advocate Aurora says it's unaware of any misuse of compromised data – but suggests that patients take precautions, such as placing a fraud alert on credit files, reviewing any new statements from their financial institutions, looking for suspicious transactions or other out-of-the-ordinary activity on their accounts.

Twitter: @MikeMiliardHITN
Email the writer: mike.miliard@himssmedia.com
Healthcare IT News is a HIMSS publication.