Novant removes Facebook tracker that shared sensitive health data, says NHRMC sites not affected
A recent investigative report discovered that a third of the top hospital systems in the United States, including North Carolina-based Novant Health, had a tracking tool on their websites that sends sensitive health information to Facebook. Novant says it has removed the tracker from its MyChart online portal while it investigates the issue. It also says the tracker was never used on any New Hanover County Regional Medical Center site.
The report, published last week, looked at the top 100 hospitals as ranked by Newsweek and discovered that 33 of them had a tracker called the Meta Pixel installed on their websites — including password-protected patient portals for seven health systems, including Novant's MyChart website. The investigation was co-published by STAT, an online health news site produced by Boston Globe Media, and The Markup, a non-profit newsroom focusing on technology use.
The investigation found that the tracker installed on Novant’s site, specifically, shared sensitive information like the name and dosage of prescriptions, and personal details like sexual orientation and gender identity. According to the report, there was no evidence that any of the hospitals or Meta, Facebook’s parent company, had obtained patients’ consent.
A spokesperson for Novant said that the tracker, which was installed about two years ago on the Novant patient portal, had never been used on any New Hanover County Regional Medical Center website. Although Novant Health’s purchase of NHRMC became official in February of 2021, Novant said "Legacy NHRMC has not migrated onto Novant Health's version of MyChart. Legacy NHRMC MyChart remains separate." So, even after the sale was finalized, new patients continued to use the old system, which according to Novant did not use Meta Pixel.
Asked about patients using websites for Novant's Brunswick County facilities, Novant issued the following statement:
We take privacy and the care of patient information very seriously at Novant Health and we value the trust our patients place in us to keep their medical information private. Approximately two years ago, we engaged a third-party vendor to help us develop and implement a campaign designed to encourage individuals to sign up for MyChart. The goal of this endeavor was to get more people to take advantage of virtual care opportunities, especially since COVID was having a significant impact on how people preferred to receive care, as well as on our resources to provide in-person care. We used tracking pixels to determine how many people signed up for MyChart, not what they did after they signed in.
When we were notified about this Meta Pixel, we immediately removed the pixel while we investigate the matter. According to Facebook’s Terms and Conditions, they have policies and filters that block sensitive personal data.
The report noted that Novant, WakeMed, Piedmont Healthcare, and the four other hospital systems identified by STAT and The Markup as having Meta Pixel on their patient portals, have all removed the tracker. However, some hospital systems that had the tracker on appointment scheduling pages — including Duke University Hospital, and Atrium Health Carolinas Medical Center — did not remove the app, according to the report.