NYP to pay USD 3L for disclosing health information of individuals

The NewYork-Presbyterian Hospital (NYP) will pay $300,000 for disclosing the health information of individuals who visited its website, New York Attorney General Letitia James announced.

James said an investigation by her office found that the hospital used advertising tools on its website that collected and shared private and personal information with third-party tech companies when visitors used the website to search for doctors or book appointments, in violation of the Health Insurance Portability and Accountability Act (HIPAA).

As a result of the settlement, NYP has also agreed to change its policies, secure the deletion of protected health information, and maintain enhanced privacy safeguards and controls.

The NewYork-Presbyterian Hospital operates 10 hospitals and receives more than 2 million patient visits each year. The NYP’s website allows visitors to book appointments, search for doctors, learn about NYP services, and research information relating to symptoms and conditions.

The investigation found that NYP did not have appropriate internal policies or procedures for vetting third-party tracking tools and did not review or vet third-party tracking tools for violations of policy or law prior to their deployment.

Between June 2016 and June 2022, NYP used third-party tools to track visitors to its website for marketing purposes. These tools used snippets of code, known as tracking pixels or tags, that sent information back to the third party whenever a webpage loaded or a user took a pre-defined action, like clicking a link, submitting a form, or running a search using the website’s search function.

Third-party companies received a variety of information about NYP’s website visitors. In some cases, those companies received information about the user’s health. Most third-party companies received the user’s IP address and the URL of the webpage that had loaded or the link that was clicked. If a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment, information about the user’s doctor or health condition were in some cases reflected in the URL. For example, if a user conducted a search using the words “spine surgery,” the URL of the search result page would include “spine-surgery” and the third party would receive that health information about the user, according to the attorney general’s office.

Several third parties received unique identifiers that had been stored on users’ devices, allowing third parties to recognize users they had previously interacted with. One of the third parties also may have received first and last name, email address, mailing address, and gender information.

In June 2022, officials said that a journalist reported on the use of tracking tools on NYP websites and the collection of sensitive health data. The NYP disabled tracking tools on its website soon after and contracted a third-party forensic firm to determine the extent of the data released. In March 2023, NYP formally reported the incident affected over 54,000 people. Insurance Journal