Your Medical Privacy is Our Top Priority.
Novant Health takes privacy and the care of patient information very seriously and we value the trust our patients place in us to keep their medical information private. We apologize for the concern this may have caused our patients.
Once made aware of the potential issue, we disabled and removed the pixel from our site. We also have implemented more structure, governance and policies around the use of pixels and promise that we will take appropriate actions to ensure that this does not happen again.
If you did not receive a letter from Novant Health about this, it means: your information was not sent to Meta; that you are a New Hanover Regional Medical Center patient and were not impacted by this incident; that we do not have an accurate address on file for you; or the letter is currently in transit.
You are not impacted if you are a New Hanover Regional Medical Center patient.
We created this FAQ to answer the most common questions we have received on this topic.
Novant Health, in an effort to be as transparent as possible, mailed letters to some patients following possible disclosure of protected health information (PHI) resulting from an incorrect configuration of pixel, an online tracking tool.
In May 2020, as our nation confronted the beginning of the COVID-19 pandemic, Novant Health launched a promotional campaign to connect more patients to the Novant Health MyChart patient portal, with the goals of improving access to care through virtual visits and to provide increased accessibility to counter the limitations of in-person care. This campaign involved Facebook advertisements and a Meta (Facebook parent company) tracking pixel placed on the Novant Health website to help understand the success of those advertisement efforts on Facebook. However, the pixel was configured incorrectly and may have allowed certain private information to be transmitted to Meta from the Novant Health website and MyChart portal.
Immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta, Novant Health disabled and removed the pixel as a precaution and began an investigation to learn whether, and to what extent, information was transmitted. Based on that investigation, Novant Health determined on June 17, 2022, that it was possible PHI might have been disclosed to Meta, depending upon a user’s activity within the Novant Health website and MyChart portal. This information potentially included an impacted patient’s: demographic information such as email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning; and information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes. The information did not include Social Security numbers or other financial information unless it was typed into a free text box by the user. The letter sent to each patient impacted will specifically state whether such financial information may have been involved.
What is a pixel and why would Novant Health use one?
A pixel is a piece of code that organizations commonly use to measure activity and experiences on their website. In this case, the pixel was placed on our website to help us understand the success of campaign efforts on Facebook to get more patients connected to the Novant Health MyChart patient portal. The campaign goal was to improve access to care through virtual visits and provide increased accessibility to counter the limitations of in-person care.
Does Facebook have my personal information or personal health information?
It is possible sensitive information or PHI might have been disclosed to Meta, depending upon a user’s activity within the Novant Health website and MyChart portal. This information could potentially include: demographic information such as email address, phone number, computer IP address, and contact information entered into Emergency Contacts or Advanced Care Planning; and information such as appointment type and date, physician selected, button/menu selections, and/or content typed into free text boxes.
Based on our investigation, we do not have any evidence that this information was acted on by Meta or any other third party.
Does Facebook have access to my MyChart username and password?
No, information such as username and password was not captured by the Meta pixel.
Am I affected by this incident?
If you are affected by this incident, you will or already have received a letter in the mail from Novant Health to inform you that your information may have been impacted.
Does Facebook have my financial information?
Novant Health has provided individual notices to impacted patients. The information did not include your Social Security number or other financial information unless the letter you received expressly states that your Social Security number or other financial information may have been involved.
Will Novant Health provide credit monitoring to impacted individuals?
Novant Health will provide credit monitoring to any individuals who may have provided Social Security numbers or other financial information through a free text box impacted by pixel in MyChart. The letter sent to each user will specifically state whether such financial information may have been involved.
I was never a patient of Novant Health. How did Novant Health have my information?
You may have received a vaccine through a Novant Health vaccine clinic, or you may have been a patient of an independent physician or facility that uses the Novant Health MyChart medical record system. A full list of these practices can be found here.
I did not receive a letter from Novant Health; what does that mean?
It means that your information was not impacted by the pixel; that you are a New Hanover Regional Medical Center patient and were not impacted by this incident; that we do not have an accurate address on file for you; or that the letter is currently in transit.
You may call 704-561-6950 or toll-free 1-877-446-1062 to verify your address and if you may have been impacted by this incident. The call center will take your information and have someone reach back out to you.
Should I be concerned about the security of my electronic health record?
No. MyChart provides you many positives, including reaching out to your provider, prescription refills, easy appointment requests and more. Based on our investigation, we do not have any evidence your information was acted on by Meta or any other third party. The pixel has been removed and is no longer transmitting data to Meta.
Furthermore, based on our investigation, Novant Health is unaware of any improper use or attempted use of any patient information by Meta or any other third party. According to Facebook’s Terms and Conditions, they have policies and filters that block sensitive personal data and do not incorporate that information into their Ad Manager.
What should I do now?
Based on our investigation, we do not have any evidence that this information was acted on by Meta or any other third party. Maintaining the privacy of electronic information is important, and you can play an important role in protecting your information online. To learn more about best practices to protect your information online, visit consumer.ftc.gov/online-security. If you have additional questions, you may call 704-561-6950.
When did Novant Health remove the pixel?
In late May 2022, immediately upon becoming aware that the pixel had the capability to transmit unintended information to Meta.
When did Novant Health discover this problem?
We first learned of the possibility in May of this year when a reporter called and asked about the use of MetaPixel. We immediately removed the MetaPixel and launched an investigation, during which we tried to determine what, if any, information may have been shared with Meta.
From there, we worked to determine if Meta received the information and what information might have been shared at the individual level. When we had that information, we started the process to mail patient letters. Note that Meta’s policies say they filter sensitive data from being received.
Is anyone getting credit monitoring?
Credit monitoring will be provided to those few individuals whose financial information might have been disclosed to Meta. (For example, if you entered your credit card number into a free text box). If your financial information was not disclosed to Meta, then you do not need to have credit monitoring as a result of this situation.
What is Novant Health doing about this now?
We have stopped the use of the pixel, have designed new internal processes to prevent this type of situation from occurring again in the future, and are alerting our patients.
I’ve recently been a victim of a scam, identity theft or some other nefarious online activity. Is that related to this situation?
It is not. If affected, your information would have only gone to Facebook.
Does this impact my medical record or billing?
Not at all.
Did Novant Health ask Facebook for the information to be returned or destroyed?
Meta has said their filters generally did not allow them to accept the information. Meta has indicated that they do not have information to return or destroy.