Credit: Unsplash/CC0 Public Domain

Personal health information of up to 3 million patients in Illinois and Wisconsin may have been exposed to outside companies through tracking technology used on a large hospital system's electronic health records website.

Advocate Aurora Health, which operates 27 hospitals, said in a statement that the breach may have exposed information including a patients' medical provider, the type of appointment or , dates and locations of scheduled appointments and IP addresses.

The system said its investigation found no social security number, financial information or credit and debit card numbers were involved.

The system blamed the breach on its use of pixels—computer code that collects information on how a user interacts with a website—including products developed by Google and Facebook's parent company Meta that make the collected data accessible to those companies.

"These pixels would be very unlikely to result in or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident," the statement said. "Nevertheless, we always encourage patients to regularly review their financial accounts and report any suspicious, unrecognized or inaccurate activity immediately."

The health care industry's use of pixels has come under wide criticism from privacy advocates who warn that the technology's use violates federal patient privacy law.

A report published in June by The Markup found many of the country's top-ranked hospitals used the Meta Pixel, collecting and sending sensitive patient information to the social media company.

Advocate Aurora Health's statement did not specify what triggered its decision to publicize its use of pixels in the MyChart site where patients schedule appointments, communicate with providers' offices and view test results. The statement said the health system has disabled or removed all the pixels and is continuing to investigate internally.

The health system notified the Department of Health and Human Services of the breach affecting up to 3 million patients on Friday, according to the agency's public log of its investigations.

Nicholson Price, a law professor with a focus on healthcare innovation at the University of Michigan, said the announcement is a reminder that information is often less protected than U.S. consumers hope.

"Patients view these log-in sites as a place to see particularly private information," Price said. "So it's more surprising (for them) to learn about this kind of tracking technology used there."