MyChart trackers yield patient data, including medical information

“The Register” had this article today about an Advocate Aurora Health leak. Apparently, the “tracker” on MyChart sent data to slurping third parties.

“It’s now determined that code – known also as trackers or pixels because they may be loaded onto pages as invisible single pixels – may have sent personal info from the pages patients had open to those providing the trackers, such as Facebook or Google.”

I mention this because an article appeared locally on October 18th about a very large Medical Center here doing the same thing with their “pixel” on MyChart. Anyone who logged into their MyChart account or scheduled an appointment on that entity’s website between March 2018 and May 2022 had their data–including medical information–sent to Meta. (I am not going to post the link, because it is local.)

It also pleads “misconfiguration,” but it has really just become cost of doing business, at least in the US. There is no teeth to punishment if there is any. “We take security and privacy seriously. We are unaware of misuse. Blah blah.” So much for HIPAA.


There was this, also: Could Facebook be more despicable?

I’m already ticked off at my provider because their system suffered a massive data breach in the last year; an employee clicked on a phishing link. Patient details, including contact information, profile photo, and entire medical histories were taken. I changed all my phone numbers and email addresses, and compartmentalized them all per activity after that. The break-in was attributed to a nation-state, so I’m sure my dossier is growing by leaps and bounds somewhere, after all the data breaches I’ve been affected by.

I don’t need the additional insult-to-injury of being tracked by unethical companies.


@amarok, I am sorry, but I missed or forgot your posts.

I share your frustration. As careful as I am, I have been in two major breaches, including my health care insurer and a to-be-unnamed credit bureau. Plus, there were two other smaller ones.

I also had a charge card number stolen. (I am pretty sure I know where, and it was a legimate company with which I do not do business anymore.) The charge card company was very good about voiding the fraudulent charges, but then sent an e-mail with the new four digits it changed(!) and listed all the recurring charge information, companies, addresses, amounts, etc. It told me I needed to notify them of the new number. I shredded the card and closed the account. At the time, I did security and privacy at work and had read the PCI Data Security Standard. Of course, it ignored my letters.

One of the ways I can tell sometimes is to do what you do. Compartmentalize. I use aliases everywhere. My health care provider reported my COVID vaccines to the State using an e-mail address that only they and another entity had. The State did not. Gotcha.

I get angry when those who legimately collect information are so very negligent. But, as I said, even if they get their hands slapped, it is the cost of doing business. No one outside of us folks seems to care. I guess ignorance really is bliss.