Advertising Tools on Hospital’s Website Tracked Visitors Searching for Doctors or Booking Appointments, in Violation of Federal Law
“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients' personal information and health data. NewYork-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients’ information.”
The NewYork-Presbyterian Hospital operates 10 hospitals across New York City and the surrounding metropolitan area and receives more than 2 million patient visits each year. The NYP’s website allows visitors to book appointments, search for doctors, learn about NYP services, and research information relating to symptoms and conditions. An OAG investigation found that NYP did not have appropriate internal policies or procedures for vetting third-party tracking tools and did not review or vet third-party tracking tools for violations of policy or law prior to their deployment.
Between June 2016 and June 2022, NYP used third-party tools to track visitors to its website for marketing purposes. These tools used snippets of code, known as tracking pixels or tags, that sent information back to the third party whenever a webpage loaded or a user took a pre-defined action, like clicking a link, submitting a form, or running a search using the website’s search function.
Third-party companies received a variety of information about NYP’s website visitors. In some cases, those companies received information about the user’s health. Most third-party companies received the user’s IP address and the URL of the webpage that had loaded or the link that was clicked. If a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment, information about the user’s doctor or health condition were in some cases reflected in the URL. For example, if a user conducted a search using the words “spine surgery,” the URL of the search result page would include “spine-surgery” and the third party would receive that health information about the user.
Several third parties received unique identifiers that had been stored on users’ devices, allowing third parties to recognize users they had previously interacted with. One of the third parties also may have received first and last name, email address, mailing address, and gender information.
In June 2022, a journalist reported on the use of tracking tools on NYP websites and their collection of sensitive health data. The NYP disabled tracking tools on its website soon after and contracted a third-party forensic firm to determine the extent of the data released. In March 2023, NYP formally reported the incident affected over 54,000 people.
As a result of today’s agreement, NYP has agreed to pay $300,000 and to adopt policies and procedures to prevent the disclosure of protected health information through tracking tools, including:
- Maintaining appropriate policies and procedures on the use of third-party tools;
- Conducting regular audits, reviews, and tests of third-party tools before deploying them to a NYP website or app;
- Conducting regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools; and
- Instructing third parties to delete any protected health information they received.
Healthcare providers can find guidance on HIPAA’s application to the use of tracking technologies in the document Use of Online Tracking Technologies by HIPAA Covered Entities and Business Associates, issued by the Office for Civil Rights at the United States Department of Health and Human Services.
This agreement continues Attorney General James’ efforts to protect New Yorkers’ personal information and hold companies accountable for their poor data security practices. In November, Attorney General James secured $450,000 from US Radiology for a data breach that leaked the personal data of more than 92,000 New Yorkers. In October, Attorney General James secured $350,000 from Long Island health care company Personal Touch for failing to secure the data of 300,000 New Yorkers. Earlier that month, Attorney General James and a multistate coalition secured $49.5 million from cloud company Blackbaud for a 2020 data breach exposing the data of thousands of users. In September, Attorney General James reached an agreement with Marymount Manhattan College to invest $3.5 million to protect students’ online data. Also in May, Attorney General James recouped $550,000 from a medical management company for failing to protect patient data. In April, Attorney General James released a comprehensive data security guide to help companies strengthen their data security practices. In October 2022, Attorney General James announced a $1.9 million agreement with the owner of SHEIN and Zoetop for failing to properly handle a data breach that compromised the personal information of millions of consumers.
No comments:
Post a Comment