The hospital self-reported the breach that affected more than 54,000 people.
New York Presbyterian Hospital will pay a $300,000 fine for a data breach that for six years sent visitors' personal information captured on the hospital's website ads to Meta and other third-party tech vendors, the New York State Attorney's Office said Wednesday.
According to the AG's office, between 2016 and 2022 NYP used unvetted third-party tracking pixels and tags on its website that sent visitors' data back to vendors whenever the website loaded or when a visitor clicked a link, submitted a form, or ran a search.
A class-action suit filed against NY Pres identifies Meta Platforms, Inc., the parent company of Facebook, as one of the vendors that received the data.
In some cases, the AG's office says, the data sent back to vendors included personal health information along with users' IP addresses and the URL for the webpage that had been accessed.
"If a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment, information about the user's doctor or health condition were in some cases reflected in the URL," the AG's office says in a media release.
"For example, if a user conducted a search using the words 'spine surgery,' the URL of the search result page would include 'spine-surgery' and the third party would receive that health information about the user."
Some vendors also collected "unique identifiers" stored in the users' devises that allowed the vendors to identify the users they had previously interacted with, including first and last names, email addresses, mailing addresses and gender information, the AG says.
The breach was identified in June 2022 when a journalist reported on the use of the tracking tools on the NYP website. NYP immediately disabled the tracking tools and hired a third-party forensic company to assess the extent of the breach.
In March 2023 NYP formally reported that the breach affected more than 54,000 people.
NY Pres Responds
New York Presbyterian issued the following statement in response to the AG's media release:
"We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients' health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards."
New Security Procedures
In addition to the fine, NYP will adopt procedures to prevent the disclosure of protected health information through tracking tools, including:
- Maintaining appropriate policies and procedures on the use of third-party tools;
- Conducting regular audits, reviews, and tests of third-party tools before deploying them to a NYP website or app;
- Conducting regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools; and
- Instructing third parties to delete any protected health information they received.
“The privacy and security of our patients' health information is of paramount importance, and the protection of this confidential information remains a top priority.”
New York Presbyterian Hospital
John Commins is a content specialist and online news editor for HealthLeaders, a Simplify Compliance brand.
KEY TAKEAWAYS
Between 2016 and 2022 NYP used unvetted third-party tracking pixels and tags on its website that sent visitors' data back to vendors whenever the website loaded or when a visitor clicked a link, submitted a form, or ran a search.
In some cases, the AG's office says, the data sent back to vendors included personal health information along with users' IP addresses and the URL for the webpage that had been accessed.
A class-action suit filed against NY Pres alleges that Meta Platforms, Inc., the parent company of Facebook, was one of the vendors that received the data.