CHICAGO (WLS) -- Advocate Aurora Health, one of Chicago's largest healthcare providers, has reported a massive data breach.
The personal health information of up to 3 million patients in Illinois and Wisconsin may have been exposed to outside companies through tracking technology used on a large hospital system's electronic health records website.
Advocate Aurora Health, which operates 27 hospitals, said in a statement Thursday that the breach may have exposed information including patients' medical provider, type of appointment or medical procedure, dates and locations of scheduled appointments and IP address.
The system said its investigation found no social security number, financial information or credit and debit card numbers were involved.
Advocate Aurora Health says it uses internet tracking technologies from Facebook and Google to help understand how its patients and others interact with its websites.
The company said it found pieces of code known as "pixels" used in some of its websites and mobile apps transmitted some patient information back to Facebook and Google.
"These pixels would be very unlikely to result in identity theft or any financial harm, and we have no evidence of misuse or incidents of fraud stemming from this incident," the statement said. "Nevertheless, we always encourage patients to regularly review their financial accounts and report any suspicious, unrecognized or inaccurate activity immediately."
The health care industry's use of pixels has come under wide criticism from privacy advocates who warn that the technology's use violates federal patient privacy law.
A report published in June by The Markup found many of the country's top-ranked hospitals used the Meta Pixel, collecting and sending sensitive patient information to the social media company.
Advocate Aurora Health's statement did not specify what triggered its decision to publicize its use of pixels in the MyChart site where patients schedule appointments, communicate with providers' offices and view test results. The statement said the health system has disabled or removed all the pixels and is continuing to investigate internally.
The health system notified the Department of Health and Human Services of the breach affecting up to 3 million patients on Friday, according to the agency's public log of its investigations.
Nicholson Price, a law professor with a focus on healthcare innovation at the University of Michigan, said the announcement is a reminder that health information is often less protected than U.S. consumers hope.
"Patients view these log-in sites as a place to see particularly private information," Price said. "So it's more surprising (for them) to learn about this kind of tracking technology used there."
Advocate says it's not aware of any misuse of information resulting from the incident.
The Associated Press contributed to this post.