Attorney General James Secures 300000 from NewYorkPresbyterian Hospital for Failing to Protect Patient Data

pNEW YORK New York Attorney General Letitia James today secured 300000 from The NewYorkPresbyterian Hospital NYP for disclosing the health information of individuals who visited their website An investigation by the Office of the Attorney General OAG found that the hospital used advertising tools on its website that collected and shared private and personal information with thirdparty tech companies when visitors used the website to search for doctors or book appointments in violation of the Health Insurance Portability and Accountability Act HIPAA  As a result of todays settlement NYP has agreed to change its policies secure the deletion of protected health information and maintain enhanced privacy safeguards and controlsppNew Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised said Attorney General James Hospitals and medical facilities must uphold a high standard for protecting their patients personal information and health data NewYorkPresbyterian failed to handle its patients health information with care and as a result tech companies gained access to peoples data Todays agreement will ensure that NewYorkPresbyterian is not negligent in protecting its patients informationppThe NewYorkPresbyterian Hospital operates 10 hospitals across New York City and the surrounding metropolitan area and receives more than 2 million patient visits each year The NYPs website allows visitors to book appointments search for doctors learn about NYP services and research information relating to symptoms and conditions An OAG investigation found that NYP did not have appropriate internal policies or procedures for vetting thirdparty tracking tools and did not review or vet thirdparty tracking tools for violations of policy or law prior to their deploymentppBetween June 2016 and June 2022 NYP used thirdparty tools to track visitors to its website for marketing purposes These tools used snippets of code known as tracking pixels or tags that sent information back to the third party whenever a webpage loaded or a user took a predefined action like clicking a link submitting a form or running a search using the websites search functionppThirdparty companies received a variety of information about NYPs website visitors In some cases those companies received information about the users health Most thirdparty companies received the users IP address and the URL of the webpage that had loaded or the link that was clicked If a user searched for a doctor by specialist or condition researched a health condition or scheduled an appointment information about the users doctor or health condition were in some cases reflected in the URL For example if a user conducted a search using the words spine surgery the URL of the search result page would include spinesurgery and the third party would receive that health information about the userppSeveral third parties received unique identifiers that had been stored on users devices allowing third parties to recognize users they had previously interacted with One of the third parties also may have received first and last name email address mailing address and gender informationppIn June 2022 a journalist reported on the use of tracking tools on NYP websites and their collection of sensitive health data The NYP disabled tracking tools on its website soon after and contracted a thirdparty forensic firm to determine the extent of the data released In March 2023 NYP formally reported the incident affected over 54000 peopleppAs a result of todays agreement NYP has agreed to pay 300000 and to adopt policies and procedures to prevent the disclosure of protected health information through tracking tools includingppHealthcare providers can find guidance on HIPAAs application to the use of tracking technologies in the document Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates issued by the Office for Civil Rights at the United States Department of Health and Human Services ppTodays agreement continues Attorney General James efforts to protect New Yorkers personal information and hold companies accountable for their poor data security practices In November Attorney General James secured 450000 from US Radiology for a data breach that leaked the personal data of more than 92000 New Yorkers In October Attorney General James secured 350000 from Long Island health care company Personal Touch for failing to secure the data of 300000 New Yorkers Earlier that month Attorney General James and a multistate coalition secured 495 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users In September Attorney General James reached an agreement with Marymount Manhattan College to invest 35 million to protect students online data Also in May Attorney General James recouped 550000 from a medical management company for failing to protect patient data In April Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices In October 2022 Attorney General James announced a 19 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumersppThis matter was handled by Assistant Attorney General Nathaniel Kosslyn Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell of the Bureau of Internet and Technology under the supervision of Bureau Chief Kim Berger The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo The Division of Economic Justice is overseen by First Deputy Attorney General Jennifer Levy ppWe Value Your Privacy
We use cookies to enhance your browsing experience serve personalized content and analyze our traffic By using this website you consent to our use of cookiesp