NY Settles With NewYork-Presbyterian Over Patient Privacy Abuses

NEW YORK — NewYork Presbyterian Hospital has promised to not use advertising software to track patients visiting their website to research doctors or make appointments, according to a settelement announced by New York Attorney General Letitia James.

The AG also said her office has secured $300,000 from The NewYork-Presbyterian Hospital for disclosing the health information of those who visited the website.

An investigation by the Office of the Attorney General (OAG) found that the hospital used advertising tools on its website that collected and shared private and personal information with third-party tech companies when visitors used the website to search for doctors or book appointments, in violation of the Health Insurance Portability and Accountability Act (HIPAA). As a result of the settlement, the hospital group has agreed to change its policies, secure the deletion of protected health information, and maintain enhanced privacy safeguards and controls to protect patients.

"New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised," James said in a statement, announcing the settlement. "Hospitals and medical facilities must uphold a high standard for protecting their patients' personal information and health data. NewYork-Presbyterian failed to handle its patients' health information with care, and as a result, tech companies gained access to people’s data. Today's agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients' information."

The NewYork-Presbyterian Hospital operates 10 hospitals in the greater New York City region. The hospital group receives more than 2 million patient visits each year and their website allows visitors to book appointments, search for doctors, learn about hospital services, and research information relating to symptoms and conditions. An OAG investigation, however, found that the hospital did not have appropriate internal policies or procedures for vetting third-party tracking tools and did not review or vet third-party tracking tools for violations of policy or law prior to their use.

Between June 2016 and June 2022, NewYork-Presbyterian used third-party tools to track visitors to its website for marketing purposes. The tools used snippets of code, known as tracking pixels or tags, that sent information back to the third party whenever a webpage loaded or a user took a pre-defined action, like clicking a link, submitting a form, or running a search using the website’s search function, according to the AG.

Third-party companies then received the information about NewYork-Presbyterian website visitors. In some cases, those companies received information about the user’s health. Most third-party companies received the user’s IP address and the URL of the webpage that had loaded or the link that was clicked. If a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment, information about the user’s doctor or health condition were, in some cases, reflected in the URL. The OAG said that, for example, if a user conducted a search using the words "spine surgery," the URL of the search result page would include "spine-surgery" and the third party would receive that health information about the user.

Third parties received unique identifiers that had been stored on users' devices, allowing third parties to recognize users they had previously interacted with. One of those third parties also may have received first and last names, email addresses, mailing addresses, and gender information.

In June 2022, media outlets reported on the use of tracking tools on NewYork-Presbyterian websites and their collection of sensitive health data. NewYork-Presbyterian disabled tracking tools on its website soon after and contracted a third-party forensic firm to determine the extent of the data released. In March 2023, NewYork-Presbyterian formally reported that the practice affected over 54,000 people.

As a result of the agreement, NewYork-Presbyterian has agreed to pay $300,000 and to adopt policies and procedures to prevent the disclosure of protected health information through tracking tools, including maintaining appropriate policies and procedures on the use of third-party tools; conducting regular audits, reviews, and tests of third-party tools before deploying them to a NYP website or app; conducting regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools; and instructing third parties to delete any protected health information they received.