Get all your news in one place.
100’s of premium titles.
One app.
Start reading
Chicago Tribune
Chicago Tribune
Business
Lisa Schencker

Advocate Aurora reports data breach affecting as many as 3 million patients

A data breach at hospital system giant Advocate Aurora Health may have exposed the information of as many as 3 million patients who use its online patient portals and other tools, the system said.

Advocate Aurora, which has 27 hospitals in Illinois and Wisconsin, said exposed patient data may include IP addresses; dates, times, and/or locations of scheduled appointments; a patient’s proximity to an Advocate Aurora Health location; information about patients’ provider; types of appointment or procedures; and communications between patients and others on MyChart.

Advocate Aurora said in a statement on its website that it has launched an internal investigation, and does not believe Social Security numbers, financial accounts, credit card or debit card information were leaked.

The system said the breach is unlikely to lead to identity theft or financial harm, and it’s seen no evidence of misuse of information or fraud.

The health system said that it uses outside vendors to track trends and preferences of its patients as they use its website. Those preferences are tracked through the use of “pixels,” which are pieces of code. Advocate Aurora said in the statement that it learned that pixels and similar technologies installed on its patient portals, as well as on some of its scheduling widgets, sent patient information to the vendors who supply the pixels. People who were logged into their Facebook or Google accounts at the same time may have been particularly affected, Advocate Aurora said.

Advocate Aurora has since disabled or removed the pixels, according to the statement.

“Advocate Aurora Health apologizes for the inconvenience that these technologies may have caused,” the system said.

Patients with questions about the breach may call 866-884-3206 from Monday through Friday from 7 a.m. to 7 p.m., and Saturday from 9 a.m. to 2 p.m.

The system reported the breach to the U.S. Department of Health and Human Services Office for Civil Rights. Health systems must report breaches of protected health information involving 500 or more individuals to that office, which posts reports on a public website, nicknamed the Wall of Shame. The Office for Civil Rights investigates such breaches and can levy fines against health systems, depending on severity.

Data breaches have plagued hospital systems across the country for years, as hospitals try to keep up with ever-changing technologies, evolving cyber criminal activity and competing demands for their dollars and time.

Sign up to read this article
Read news from 100’s of titles, curated specifically for you.
Already a member? Sign in here
Related Stories
Top stories on inkl right now
One subscription that gives you access to news from hundreds of sites
Already a member? Sign in here
Our Picks
Fourteen days free
Download the app
One app. One membership.
100+ trusted global sources.