‘They should have done more research.’ Cybersecurity expert breaks down WakeMed data leak
RALEIGH, N.C. (WNCN) — Almost a half million people may have been affected by a data mishap that occurred when confidential patient information stored by WakeMed was shared with Facebook by a marketing tool.
Between March 2018 and May 2022, 495,000 people accessed WakeMed’s MyChart patient portal or scheduled a doctor’s appointment. WakeMed sent those patients a letter to inform them that Facebook may have obtained personal medical information as part of a tracking initiative.
“Facebook overstretched what they were doing beyond just tracking the fact that you were out there,” said cybersecurity expert Rob Downs of Managed IT Solutions in Raleigh. “They were also tracking data you might have inputted at that point in time.”
WakeMed told CBS 17 what led to the data mishap.
It was using a Facebook pixel on its MyChart Website that was supposed to anonymously track data.
I.T. professionals say those tracking pixels are used by many organizations to create re-targeted ads
“As you’re scrolling through Facebook there are ads popping up for some places you’ve gone to—that’s the purpose of the Facebook pixel,’‘ said Downs.
The hospital told consumer reporter Steve Sbraccia they were told of the data leak in May.
It says MyChart creators, Epic Systems, notified WakeMed the pixel may also have transmitted “allergy or medication information; COVID vaccine status; information about upcoming appointments, such as appointment type and date, and physician selected.”
This happened during the last four years and all that potentially transmitted information is HIPAA protected.
“It’s the hospital’s responsibility to make sure that data stays secure,” said Downs. “They should have done more research into what was leaving the website.”
The hospital said when it found out what was happening, they disabled the pixel in May, but didn’t send out the notification letter until Oct. 11 because it was conducting ”extensive forensic research to try and determine what, if any, information may have been transmitted and who may have been impacted.”
The hospital says it has no future plans to use the Facebook tracking pixel until it can be assured of its integrity and is making changes to enhance privacy to prevent future data mishaps.
“There’s not too much you can do,’’ said Downs. “The hospital took corrective action. Anything above and beyond that would have to be at the federal or state level to reprimand Facebook for taking more data than it should have.”
WakeMed believes Facebook, along with its parent company Meta and third parties it associates with, have not improperly used patient information it may have obtained in any of its advertising programs.
The hospital also has created a special webpage to deal with the pixel situation which you can access here.
Gloss