“Advocate’s conduct described herein was intentional and highly offensive to a reasonable person,” the complaint reads. “Advocate’s willful and reckless conduct . . . would cause serious mental injury, shame or humiliation to people of ordinary sensibilities.”
Advocate Aurora, which is dually headquartered in Downers Grove and Milwaukee, reported the data breach earlier this month. The healthcare provider explained in a statement on its website that it used internet tracking technologies from companies like Google and Meta to help it collect details about how patients and others interact with its websites.
Advocate Aurora, which operates 27 hospitals, says it later learned that these technologies, pieces of code known as “pixels” that were installed on its patient portal, transmitted certain patient information to Google and Meta, and possibly to other third-party vendors. It’s unclear exactly how long Advocate Aurora used pixel technology and when it identified information leaks related to it.
“Like others in our industry, we have used internet tracking technologies to improve the consumer experience across our websites and encourage individuals to schedule necessary preventive care,” Advocate Aurora said in a statement today. “We are thoroughly evaluating the information we collect and track. As part of this evaluation and out of an abundance of caution, we have turned off pixels and related analytics tools across our online properties. We are not aware of any misuse of information arising from this incident.”
Meta did not immediately respond to a request for comment. Google is not listed as a defendant in the lawsuit.
Advocate Aurora said at the time of the data breach announcement that it assumes all patients with an Advocate Aurora Health MyChart account, including users of the LiveWell application, and any patients using scheduling widgets on Advocate Aurora’s platforms may have been affected and had information exposed to Meta or Google.
The complaint against Advocate Aurora follows a group of similar lawsuits filed against other health systems across the country, including some in Chicago. A lawsuit was filed against Northwestern Memorial Hospital in August for allegedly giving sensitive patient health data to Meta via its online patient portals. Rush System for Health was hit with a lawsuit Sept. 30 for exposing health information to Meta, Google and digital advertising firm Bidtellect.
Cases like Advocate Aurora’s highlight the challenges hospitals and other care providers face around health data stored online. Other lawsuits filed around the country show that hundreds of hospital systems and medical provider websites have sent data to Meta.
In the complaint against Advocate Aurora, Illinois resident Alistair Stewart, an Advocate Aurora patient since at least 2018 and Facebook user since at least 2012, is the only individual listed on the proposed class-action suit, but potentially of thousands of people could qualify for the class, according to the complaint.
Stewart used Advocates’ LiveWell patient portal to schedule appointments, view test results, read doctor’s notes and communicate with caretakers, the suit says. But by doing so, Stewart’s identifiable patient information was intercepted and disclosed by Advocate Aurora and Facebook, and he had no idea, according to the complaint.
The complaint argues that Facebook and Advocate Aurora benefit from pixel technology embedded on websites.
“When the Pixel is installed on a business’s website, the business has a greater incentive to advertise through Facebook or other Meta-owned platforms, like Instagram,” the complaint reads. “In addition, even if the business does not advertise with Facebook, the Pixel assists Facebook in building more fulsome profiles of its own users, which in turn allows Facebook to profit from providing more (and more lucrative) targeted ads.”
Attorneys representing plaintiffs in the suit against Advocate Aurora and Meta did not immediately respond to a request for comment. The proposed class action includes all people in the U.S. who are current or former patients of Advocate Aurora or any of its affiliates and used its patient portal. The value of the class damages exceeds $5 million, according to the complaint.
The lawsuit comes as Advocate Aurora is in the process of trying to merge with North Carolina-based Atrium Health. The Illinois Health Facilities & Services Review Board, which initially and briefly vetoed the deal before reconsidering, is set to make a final decision on Nov. 14.