WakeMed Health and Hospitals

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

WakeMed Health & Hospitals, based in Raleigh, North Carolina, faced significant scrutiny and legal challenges due to a data privacy incident involving the Meta Pixel, a tracking tool used on its website. This incident led to the potential exposure of sensitive patient information to Facebook (now known as Meta), affecting nearly half a million patients.

Data Privacy Incident Overview

In March 2018, WakeMed implemented the Meta Pixel on its website and the WakeMed MyChart patient portal. The intention behind using this pixel was to collect anonymous data to improve user experience and facilitate better access to the MyChart patient portal. However, it was discovered that the pixel might have also transmitted sensitive information entered by users on the MyChart patient portal and appointment scheduling page back to Facebook. The data potentially shared included email addresses, phone numbers, IP addresses, emergency contact information, allergy or medication information, COVID vaccine status, and details about upcoming appointments. Importantly, Social Security numbers or other financial information were not included unless entered by the user in a free text box[1].

Legal and Public Response

Following the discovery of this issue, WakeMed proactively disabled the Meta Pixel in May 2022 and initiated a comprehensive review of its policies and procedures related to gathering website user data. Despite these measures, WakeMed faced a class action lawsuit alleging that the information of nearly half a million patients was shared with Facebook. The lawsuit claims that this data leak violated WakeMed’s duty of confidentiality to its patients, as well as state and federal laws[2][3].

WakeMed’s Response

WakeMed has emphasized its commitment to the privacy and security of patient health information, stating that protecting this information is a top priority. The health system notified affected individuals who logged into a WakeMed MyChart account and/or scheduled an appointment on the WakeMed website between March 2018 and May 2022. WakeMed also assured that it has no plans to use the Meta Pixel in the future without confirmation that it no longer has the capacity to transmit potentially sensitive or identifiable information[1].

Ongoing Litigation

The lawsuit against WakeMed has advanced, with the North Carolina Superior Court, Wake County, allowing the proposed class action to proceed. The plaintiffs have adequately stated claims for common-law negligence, breach of implied contract, and breach of fiduciary duty. This legal action is part of a broader trend of litigation against healthcare providers over their use of tracking technologies on patient portals and other webpages[5].

Conclusion

The incident at WakeMed Health & Hospitals underscores the complex challenges healthcare providers face in balancing the use of modern technology to improve patient services with the imperative to protect sensitive patient information. As the legal proceedings continue, the case highlights the importance of stringent data privacy practices and the potential consequences of their breach.

Citations:

  1. https://www.wakemed.org/about-us/news-and-media/wakemed-news-releases/wakemed-notifies-patients-of-potential-data-privacy-incident
  2. https://www.cbs17.com/news/local-news/wake-county-news/wakemed-faces-class-action-lawsuit-for-alleged-meta-pixel-data-breach/
  3. https://www.secureblink.com/cyber-security-news/500-000-patients-hit-by-data-breach-as-reported-by-wake-med-hospital
  4. https://www.charlotteobserver.com/news/business/article279392684.html
  5. https://news.bloomberglaw.com/litigation/patients-advance-wakemed-lawsuit-over-data-sharing-with-meta
  6. https://spectrumlocalnews.com/nc/charlotte/news/2023/09/18/cyberattack-data-stolen-north-carolina-hospitals
  7. https://www.hipaajournal.com/wakemed-meta-pixel-privacy-breach/
  8. https://www.wnct.com/on-your-side/crime-tracker/the-biggest-health-care-data-breaches-you-should-know-about-in-north-carolina/
  9. https://www.wral.com/story/lawsuit-accuses-wakemed-of-collecting-patient-data-and-sending-it-to-facebook-for-marketing/20551652/
  10. https://healthitsecurity.com/news/wakemed-faces-data-breach-lawsuit-over-meta-pixel-use
  11. https://www.classaction.org/news/data-breach-wakemed-shared-patient-portal-info-with-facebook-for-over-four-years-class-action-claims
  12. https://www.carolinalaw.com/2022/12/what-to-know-about-the-wakemed-data-breach/
  13. https://www.nccourts.gov/assets/documents/orders-of-significance/2023%20NCBC%20Order%2018.pdf?VersionId=qAsxoQ8ufCRP60T5nUtxdnPHQ84_hBYy
  14. https://www.newsobserver.com/news/local/article268130567.html
Breach Submission Date Oct 14, 2022
Converted Entity Name WakeMed Health and Hospitals
Converted Entity Type Healthcare Provider
State NC
Individuals Affected 495,808
Breach Type Unauthorized Access/Disclosure

Breach Information Location Network Server

Business Associate Present Yes