WakeMed Health and Hospitals
Your Personal Info Could Be
Exposed Online After
This Hospital Breach
Breach Description
WakeMed Health & Hospitals, based in Raleigh, North Carolina, faced significant scrutiny and legal challenges due to a data privacy incident involving the Meta Pixel, a tracking tool used on its website. This incident led to the potential exposure of sensitive patient information to Facebook (now known as Meta), affecting nearly half a million patients.
Data Privacy Incident Overview
In March 2018, WakeMed implemented the Meta Pixel on its website and the WakeMed MyChart patient portal. The intention behind using this pixel was to collect anonymous data to improve user experience and facilitate better access to the MyChart patient portal. However, it was discovered that the pixel might have also transmitted sensitive information entered by users on the MyChart patient portal and appointment scheduling page back to Facebook. The data potentially shared included email addresses, phone numbers, IP addresses, emergency contact information, allergy or medication information, COVID vaccine status, and details about upcoming appointments. Importantly, Social Security numbers or other financial information were not included unless entered by the user in a free text box[1].
Legal and Public Response
Following the discovery of this issue, WakeMed proactively disabled the Meta Pixel in May 2022 and initiated a comprehensive review of its policies and procedures related to gathering website user data. Despite these measures, WakeMed faced a class action lawsuit alleging that the information of nearly half a million patients was shared with Facebook. The lawsuit claims that this data leak violated WakeMed’s duty of confidentiality to its patients, as well as state and federal laws[2][3].
WakeMed’s Response
WakeMed has emphasized its commitment to the privacy and security of patient health information, stating that protecting this information is a top priority. The health system notified affected individuals who logged into a WakeMed MyChart account and/or scheduled an appointment on the WakeMed website between March 2018 and May 2022. WakeMed also assured that it has no plans to use the Meta Pixel in the future without confirmation that it no longer has the capacity to transmit potentially sensitive or identifiable information[1].
Ongoing Litigation
The lawsuit against WakeMed has advanced, with the North Carolina Superior Court, Wake County, allowing the proposed class action to proceed. The plaintiffs have adequately stated claims for common-law negligence, breach of implied contract, and breach of fiduciary duty. This legal action is part of a broader trend of litigation against healthcare providers over their use of tracking technologies on patient portals and other webpages[5].
Conclusion
The incident at WakeMed Health & Hospitals underscores the complex challenges healthcare providers face in balancing the use of modern technology to improve patient services with the imperative to protect sensitive patient information. As the legal proceedings continue, the case highlights the importance of stringent data privacy practices and the potential consequences of their breach.
Citations:
- https://www.wakemed.org/about-us/news-and-media/wakemed-news-releases/wakemed-notifies-patients-of-potential-data-privacy-incident
- https://www.cbs17.com/news/local-news/wake-county-news/wakemed-faces-class-action-lawsuit-for-alleged-meta-pixel-data-breach/
- https://www.secureblink.com/cyber-security-news/500-000-patients-hit-by-data-breach-as-reported-by-wake-med-hospital
- https://www.charlotteobserver.com/news/business/article279392684.html
- https://news.bloomberglaw.com/litigation/patients-advance-wakemed-lawsuit-over-data-sharing-with-meta
- https://spectrumlocalnews.com/nc/charlotte/news/2023/09/18/cyberattack-data-stolen-north-carolina-hospitals
- https://www.hipaajournal.com/wakemed-meta-pixel-privacy-breach/
- https://www.wnct.com/on-your-side/crime-tracker/the-biggest-health-care-data-breaches-you-should-know-about-in-north-carolina/
- https://www.wral.com/story/lawsuit-accuses-wakemed-of-collecting-patient-data-and-sending-it-to-facebook-for-marketing/20551652/
- https://healthitsecurity.com/news/wakemed-faces-data-breach-lawsuit-over-meta-pixel-use
- https://www.classaction.org/news/data-breach-wakemed-shared-patient-portal-info-with-facebook-for-over-four-years-class-action-claims
- https://www.carolinalaw.com/2022/12/what-to-know-about-the-wakemed-data-breach/
- https://www.nccourts.gov/assets/documents/orders-of-significance/2023%20NCBC%20Order%2018.pdf?VersionId=qAsxoQ8ufCRP60T5nUtxdnPHQ84_hBYy
- https://www.newsobserver.com/news/local/article268130567.html