The New York Attorney General Letitia James recently concluded a legal action against The NewYork-Presbyterian Hospital (NYP), resulting in a $300,000 settlement. This action was due to the hospital’s unauthorized use of online tracking tools on its website, which led to the unintentional sharing of sensitive personal and health-related information of its visitors with third-party technology companies. This incident was a clear breach of the Health Insurance Portability and Accountability Act (HIPAA), the most important piece of legislation designed to protect patient privacy and sensitive health information.
From June 2016 to June 2022, NYP employed third-party tracking tools on its website. These tools, including tracking pixels or tags, were primarily used for marketing and analytics purposes. The entity inadvertently collected and transmitted private information about website visitors to third-party tech companies. When individuals used the website to search for doctors, book appointments, or seek medical information, these tools captured and shared their data. This practice led to various types of data being shared with third parties. Further to IP addresses and URLs of web pages viewed, in some instances, the tracking tools also relayed health-related information inferred from search terms. For example, if a user searched for “spine surgery” on the hospital’s website, the URL for the search results page, which included the term “spine-surgery”, was shared with third parties, revealing the user’s health interests or conditions.
The extent of the data leak became apparent in March 2023 when NYP reported that more than 54,000 individuals were affected by this breach of privacy. This discovery came to light following a journalistic investigation in June 2022, which led to the hospital immediately disabling the tracking tools on its website and commissioning a forensic investigation to understand the scope of the data release. The settlement with the Attorney General’s office mandates that NYP pay a fine of $300,000. The hospital is also required to implement new policies and procedures that will prevent such breaches in the future. These include conducting thorough audits and reviews of third-party tools before their implementation, maintaining extensive policies for their use, and ensuring that third parties delete any protected health information they have received. This case comes after a bulletin issued in 2022 by the Department of Health and Human Services Office for Civil Rights (OCR). This bulletin warned healthcare providers about the potential for HIPAA violations when sharing protected health information with online tracking technology vendors like Google Analytics or Meta Pixel.
This incident is part of Attorney General James’ efforts to protect personal information and hold entities accountable for lapses in data security. Her office has taken action against several other organizations for similar breaches, portraying the growing focus on data privacy and security across various industries. The settlement with NYP also shows the ongoing challenges healthcare providers face in balancing the use of digital technologies for operational efficiency and marketing with the imperative to protect patient privacy. It emphasizes the necessity for healthcare entities to establish and maintain sufficient data security and privacy measures, especially when incorporating third-party technologies. Regular audits, employee training, and a deep understanding of compliance requirements with laws like HIPAA are necessary to prevent such breaches.