NewYork-Presbyterian Hospital

Your Personal Info Could Be

Exposed Online After

This Hospital Breach

Breach Description

NewYork-Presbyterian Hospital (NYP) experienced a data breach that resulted in the exposure of patient data due to the use of tracking technology on its website. The breach was discovered after a journalist reported on the use of tracking tools on NYP websites in June 2022, which led to the hospital disabling the tracking tools and contracting a third-party forensic firm to assess the extent of the breach[1][4][6][7][14].

The New York Attorney General, Letitia James, secured a $300,000 settlement from NYP for failing to protect patient data. The investigation by the Office of the Attorney General (OAG) found that NYP had used advertising tools on its website that violated the Health Insurance Portability and Accountability Act (HIPAA). The tools were present on the hospital’s website from June 2016 to June 2022 and were used for marketing purposes. They inadvertently shared private information, including IP addresses, URLs, and in some cases, personal health information, with third-party tech companies like Google and Meta[1][4][9][12][13][14].

The breach affected over 54,000 individuals who had requested appointments, second opinions, or initiated a virtual urgent care visit via the NYP website. The disclosed information included names, email addresses, mailing addresses, and gender. However, there was no evidence that financial information, sensitive health information, or Social Security numbers were captured by the trackers and analytics tools[5][6][7].

As part of the settlement, NYP agreed to update its policies, implement enhanced privacy safeguards, and secure the deletion of protected health information (PHI). The hospital is also required to conduct regular audits and tests of third-party tools before deploying them to any NYP website or app, conduct regular reviews of contracts and privacy policies with these vendors, and instruct third parties to delete any PHI they received[1][4][9][13][14].

This incident has raised concerns about privacy and compliance with HIPAA regulations and highlights the need for healthcare organizations to prioritize patient data security and privacy[9].

Citations:

  1. https://ag.ny.gov/press-release/2023/attorney-general-james-secures-300000-newyork-presbyterian-hospital-failing
  2. https://healthitsecurity.com/news/newyork-presbyterian-hospital-notifies-12k-of-healthcare-data-breach
  3. https://colevannote.com/data-breach-new-york-presbyterian-hospital-2/
  4. https://healthitsecurity.com/news/ny-ag-fines-newyork-presbyterian-hospital-over-tracking-tech-use
  5. https://www.hipaajournal.com/website-tracking-technology-breach-affects-54000-new-york-presbyterian-hospital-patients/
  6. https://www.beckershospitalreview.com/cybersecurity/54-000-patients-affected-by-pixel-tracking-at-newyork-presbyterian-hospital.html
  7. https://healthitsecurity.com/news/tracking-pixel-use-results-in-data-breach-at-ny-hospital-54k-impacted
  8. https://www.hhs.gov/hipaa/for-professionals/compliance-enforcement/examples/new-york-and-presbyterian-hospital/index.html
  9. https://medriva.com/breaking-news/new-york-presbyterian-hospital-fined-for-data-breach-a-wake-up-call-for-healthcare-organizations/
  10. https://www.hipaajournal.com/new-york-presbyterian-pixel-settlement/
  11. https://www.idstrong.com/sentinel/new-york-presbyterian-hospital-breach/
  12. https://www.paubox.com/blog/nyp-web-tracking-fine-highlights-crackdown-on-hipaa-violations
  13. https://www.healthcareitnews.com/news/newyork-presbyterian-pays-300k-settle-ny-pixel-tracking-case
  14. https://www.psqh.com/news/data-breach-costs-ny-presbyterian-300k/
  15. https://highlandscurrent.org/2024/01/05/newyork-presbyterian-fined-by-state/?amp=1
  16. https://brooklyneagle.com/articles/2024/01/02/data-breached-at-ny-presbyterian-hospital/
Breach Submission Date Mar 20, 2023
Converted Entity Name NewYork-Presbyterian Hospital
Converted Entity Type Healthcare Provider
State NY
Individuals Affected 54,396
Breach Type Unauthorized Access/Disclosure

Breach Information Location Network Server

Business Associate Present Yes