Tracking Pixel Use Results in Data Breach at NY Hospital, 54K Impacted

April 04, 2023 - NewYork-Presbyterian Hospital (NYP) is the latest healthcare organization to report a data breach stemming from its use of tracking and analytics tools. As previously reported, Meta, Google, and other tech companies have been facing backlash over the use of tracking pixels on healthcare websites.

In October 2022, Advocate Aurora Health notified 3 million individuals of a breach stemming from the use of tracking pixels, and Novant Health notified 1.3 million individuals of potential unauthorized data disclosures resulting from its use of pixels.

In the case of NewYork-Presbyterian Hospital, more than 54,000 individuals were recently notified that the use of third-party tracking and analytics tools on its public-facing website may have resulted in the exposure of patient information.

“NYP began using these tools from third-party service providers on [url=http://www.nyp.org]http://www.nyp.org[/url] to understand how visitors interacted with the website,” the hospital explained.

“These tools allowed NYP to review website activity to streamline external communications, monitor community engagement and make it easier for patients to connect with care that they need.”

Once NYP discovered that the tools were potentially sharing patient information with developers, it disabled the trackers and launched a forensic investigation.

The incident impacted patients who requested appointments or second opinions, and those who initiated a virtual urgent care visit on [url=http://www.nyp.org]http://www.nyp.org[/url].

“We then reviewed that matter further and determined that the tracking and analytics tools accessed IP addresses and the URL/website addresses of the pages visited, which may have included the provider name and specialty listed on NYP.org,” the notice continued.

“In addition, certain tools were also able to access first name, last name, email address, mailing address, and/or gender if that information was entered on particular pages of the website.”

NYP said it had not found any evidence that the trackers captured financial information, sensitive health information, or Social Security numbers.

“After disabling the tracking and analytics tools from our website, NYP reevaluated and changed our data collection practices and developed a protocol for monitoring website engagement,” the notice concluded.

Florida Medical Clinic Discloses Ransomware Attack Impacting 94K

Florida Medical Clinic notified 94,132 individuals of a ransomware attack that was first detected on January 9, 2023. The incident was contained within hours, and the clinic said it was able to isolate the exposure.

Florida Medical Clinic’s EHR system was not impacted, but the unauthorized party was able to access 94,132 files containing very limited personal information. For 95 percent of the files, only names were exposed.

The remaining files may have contained medical information, dates of birth, addresses, email addresses, and phone numbers. In addition, 115 patient Social Security numbers were compromised.

“Since this event, Florida Medical Clinic has worked with our outside security consultant to implement additional cybersecurity measures to prevent recurrence of such an attack and to continue to protect the privacy of our valued patients, including replacing certain components of our system and changing the remote access protocols for our systems,” the notice stated.

“We appreciate our patients for entrusting us with their care and for trusting that we remain committed to that care and to following through with the protocol for handling this unfortunate situation.”

American Pain and Wellness Reports Data Breach

Plano, Texas-based American Pain and Wellness (APW) notified 7,457 individuals of a ransomware attack that occurred in November 2022.

After discovering suspicious activity, APW discovered that its network, including all backups, was encrypted with malicious ransomware. Further investigation revealed that an unauthorized party may have had access to APW’s systems between November 10 and November 27.

The information involved in the breach potentially included patient and employee names and Social Security numbers.

“Upon discovering the event, APW moved quickly to investigate and respond to the incident, assess the security of APW systems, and identify potentially affected individuals,” the notice stated.

“Further, APW notified federal law enforcement regarding the event. APW is also working to implement additional safeguards and training to its employees.”