Watch CBS News

Advocate Aurora Health reports data breach affecting up to 3 million patients

Advocate Aurora Health system announces data breach
Advocate Aurora Health system announces data breach 00:22

CHICAGO (CBS) -- Advocate Aurora Health, a major health care provider in the Chicago area, has reported a data breach that could have exposed private information of as many as 3 million patients.

In a notice posted on its website, Advocate Aurora Health said it uses internet tracking technologies from Facebook and Google, to help understand how its patients and others interact with its websites. The company said it has determined pieces of code known as "pixels" used in some of its websites and mobile apps transmitted some patient information to Facebook and Google.

"Out of an abundance of caution, Advocate Aurora Health has decided to assume that all patients with an Advocate Aurora Health MyChart account (including users of the LiveWell application), as well as any patients who used scheduling widgets on Advocate Aurora Health's platforms, may have been affected," the company said.

Advocate Aurora Health spokesperson Brigid Sweeney said the company is not aware of any misuse of information resulting from the data breach.

"We take patient privacy very seriously, employ robust internal controls to protect patient data and are committed to compliance with all laws applicable to our operations," Sweeney said in an email. "Like others in our industry, we have used internet tracking technologies to improve the consumer experience across our websites and encourage individuals to schedule necessary preventive care. We are thoroughly evaluating the information we collect and track. As part of this evaluation and out of an abundance of caution, we have turned off pixels and related analytics tools across our online properties."

In a filing with the U.S. Department of Health and Human Services Office for Civil Rights, Advocate Aurora Health indicated the data breach could affect 3 million people.

Advocate Aurora Health reports data breach affecting up to 3 million patients 00:25

That information involved in the breach could include patients' IP addresses; dates, times, and/or locations of scheduled appointments; their proximity to an Advocate Aurora Health location; information about their providers; insurance information; types of appointments or medical procedures; communications through patients' MyChart accounts; and patients' names and medical record numbers.

Advocate Aurora Health said, based on their investigation, no patients' Social Security numbers, financial accounts, or credit or debit card information were involved in the breach.

"These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident," the company said.

The company said it has disabled and/or removed the tracking pixels on its websites and apps, and launched an internal investigation into what patient information was transmitted to Facebook and Google.

Patients with questions can contact a dedicated Advocate Aurora Health help line at 866-884-3206 weekdays from 7 a.m. to 7 p.m., or Saturdays from 9 p.m. to 2 p.m.

Advocate Aurora Health is encouraging patients to review their financial accounts, and immediately report any suspicious or in accurate activity.

"Should you find accounts that you don't recall opening, receive inquiries from creditors that you did not initiate on your credit report, or suspect any other identity theft, immediately file a police report with your local law enforcement agency and contact the U.S. Federal Trade Commission, and your financial institution," they said.

Patients can also report any suspicious activity to any of the three major credit bureaus – Experian, Equifax, or TransUnion – and obtain a one-year fraud alert, or place a security freeze on their credit file to prevent credit, loans, and other financial services from being approved in their name without theirr consent. Anyone who has been a victim of identity theft also has the right to place a 7-year fraud alert on their credit files.

Contact information for the three credit bureaus is below:

Anyone wishing to get a credit freeze should contact all three credit agencies.

P.O. Box 105788
Atlanta, GA 30348-5788

P.O. Box 9554
Allen, TX 75013-9554

P.O. Box 2000
Chester, PA 19016-2000

View CBS News In
CBS News App Open
Chrome Safari Continue
Be the first to know
Get browser notifications for breaking news, live events, and exclusive reporting.