File Photo – Advocate Condell Medical Center in Libertyville | Photo: Advocate Medical Group

Advocate Aurora Health, which operates hospitals in Libertyville, Barrington and throughout the Chicago area, reported a data breach that may have affected three million patients.

The health system released a statement and said that pieces of code called pixels, which gather user information on some of the health system’s websites or applications, shared certain patient information to third-party vendors that provided the health system with the pixel technology.

Tracking pixels or similar technologies were installed on patient portals available through MyChart and LiveWell websites and applications, as well as some of the system’s scheduling widgets.

The shared information may have involved a patient’s IP address, first and last name, medical record number, insurance status, proximity to an Advocate location, provider information, communications through MyChart and information about appointments or procedures.

“Based on our investigation, no social security number, financial account, credit card, or debit card information was involved in this incident,” the system said in the statement.

[Suggested Article]  Judge sentences man to 120 years in prison for sexually assaulting child over span of 6 years in Libertyville

The system said they review in aggregate the information gathered by tracking pixels so that they can “better understand patient needs and preferences to provide needed care to our patient population.”

According to a list of breaches provided by the U.S. Department of Health and Human Services Office for Civil Rights, Advocate’s breach may have affected three million people.

The health system has since disabled or removed the pixels from patient websites and applications and launched an investigation into the matter.

The system is assuming that all of its patients with a MyChart account, including users of the LiveWell application or anyone that has used scheduling widgets, may have been affected.

“Users may have been impacted differently based on their choice of browser; the configuration of their browsers; their blocking, clearing or use of cookies; whether they have Facebook or Google accounts; whether they were logged into Facebook or Google; and the specific actions taken on the platform by the user,” the system said.

[Suggested Article]  State police updates 'clear and present danger' rules in response to Highland Park mass shooting

The system said patients can protect themselves from online tracking by blocking or deleting cookies or using browsers that support privacy protection, like incognito mode.

“These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident.”

“Nevertheless, we always encourage patients to regularly review their financial accounts and report any suspicious, unrecognized or inaccurate activity immediately.”