Attorney General James Secures $300,000 from NewYork-Presbyterian Hospital for Failing to Protect Patient Data

NEW YORK – New York Attorney General Letitia James today secured $300,000 from The NewYork-Presbyterian Hospital (NYP) for disclosing the health information of individuals who visited their website. An investigation by the Office of the Attorney General (OAG) found that the hospital used advertising tools on its website that collected and shared private and personal information with third-party tech companies when visitors used the website to search for doctors or book appointments, in violation of the Health Insurance Portability and Accountability Act (HIPAA).  As a result of today’s settlement, NYP has agreed to change its policies, secure the deletion of protected health information, and maintain enhanced privacy safeguards and controls.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients' personal information and health data. NewYork-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients’ information.”

The NewYork-Presbyterian Hospital operates 10 hospitals across New York City and the surrounding metropolitan area and receives more than 2 million patient visits each year. The NYP’s website allows visitors to book appointments, search for doctors, learn about NYP services, and research information relating to symptoms and conditions. An OAG investigation found that NYP did not have appropriate internal policies or procedures for vetting third-party tracking tools and did not review or vet third-party tracking tools for violations of policy or law prior to their deployment.

Between June 2016 and June 2022, NYP used third-party tools to track visitors to its website for marketing purposes. These tools used snippets of code, known as tracking pixels or tags, that sent information back to the third party whenever a webpage loaded or a user took a pre-defined action, like clicking a link, submitting a form, or running a search using the website’s search function.

Third-party companies received a variety of information about NYP’s website visitors. In some cases, those companies received information about the user’s health. Most third-party companies received the user’s IP address and the URL of the webpage that had loaded or the link that was clicked. If a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment, information about the user’s doctor or health condition were in some cases reflected in the URL. For example, if a user conducted a search using the words “spine surgery,” the URL of the search result page would include “spine-surgery” and the third party would receive that health information about the user.

Several third parties received unique identifiers that had been stored on users’ devices, allowing third parties to recognize users they had previously interacted with. One of the third parties also may have received first and last name, email address, mailing address, and gender information.

In June 2022, a journalist reported on the use of tracking tools on NYP websites and their collection of sensitive health data. The NYP disabled tracking tools on its website soon after and contracted a third-party forensic firm to determine the extent of the data released. In March 2023, NYP formally reported the incident affected over 54,000 people.

As a result of today’s agreement, NYP has agreed to pay $300,000 and to adopt policies and procedures to prevent the disclosure of protected health information through tracking tools, including:

• Maintaining appropriate policies and procedures on the use of third-party tools;
• Conducting regular audits, reviews, and tests of third-party tools before deploying them to a NYP website or app;
• Conducting regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools; and
• Instructing third parties to delete any protected health information they received.

Healthcare providers can find guidance on HIPAA’s application to the use of tracking technologies in the document Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, issued by the Office for Civil Rights at the United States Department of Health and Human Services. 

Today’s agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In November, Attorney General James secured $450,000 from US Radiology for a data breach that leaked the personal data of more than 92,000 New Yorkers. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Earlier that month, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers.

This matter was handled by Assistant Attorney General Nathaniel Kosslyn, Senior Enforcement Counsel Jordan Adler, and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology, under the supervision of Bureau Chief Kim Berger. The Bureau of Internet and Technology is a part of the Division for Economic Justice, which is led by Chief Deputy Attorney General Chris D’Angelo. The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy.