NY AG Fines NewYork-Presbyterian Hospital Over Tracking Tech Use

January 03, 2024 - New York Attorney General Letitia James fined the NewYork-Presbyterian Hospital (NYP) $300,000 over its use of tracking tech that resulted in private information being shared with third-party tech companies. NYP agreed to update its policies, implement enhanced privacy safeguards, and secure the deletion of protected health information (PHI), in addition to the monetary settlement.

As previously reported, third-party tracking tech present on hospital websites has inadvertently resulted in numerous data breaches in the past few years. Many hospitals employ this technology for enhanced website functionality, only to realize later that sensitive data is being transmitted back to the tech companies that offer these tools.

In the case of NYP, which operates 10 hospitals across New York City, the tracking tools were present on its website from June 2016 to June 2022, when it disabled the tracking tools and later reported the incident as a breach impacting 54,000 individuals. NYP had implemented these tools for marketing purposes.

However, an investigation by the Office of the Attorney General (OAG) found that NYP had not implemented appropriate internal policies to vet third-party tracking tools and had failed to review the tools for potential privacy violations prior to deploying them.

According to the settlement agreement, each time a third-party pixel was triggered, information about the user’s interaction with the NYP website was shared with a third party, such as Google and Meta. These companies received user IP addresses and unique identifiers stored in cookies. Meta also allegedly received names, email addresses, and gender information.

“If a user searched for a doctor by specialist or condition, researched a health condition, or scheduled an appointment, information about the user’s doctor or health condition were in some cases reflected in the URL,” the OAG stated.

“For example, if a user conducted a search using the words ‘spine surgery,’ the URL of the search result page would include ‘spine-surgery’ and the third party would receive that health information about the user.”

In addition to paying $300,000, NYP agreed to conduct regular audits and tests of third-party tools before deploying them to an NYP website or app. In addition, NYP agreed to conduct regular contract and privacy policy reviews with these vendors and to instruct third parties to delete any PHI they received.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” James said.

“Hospitals and medical facilities must uphold a high standard for protecting their patients' personal information and health data. NewYork-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients’ information.”