Your data has been breached … again … this time by NY Presbyterian Hospital

January 2, 2024 Robert Abruzzese, Courthouse Editor

Attorney General Letitia James announced the successful settlement with cryptocurrency platform KuCoin, securing more than $22 million for illegal operations in New York.

Attorney General Letitia James once again makes headlines with a substantial legal settlement involving a data breach, yet the public remains largely unaffected. Despite her persistent efforts in securing financial penalties from companies for data breaches, they continue to happen regularly.
Photo: Ted Shaffrey/AP

Share this:

Attorney General Letitia James announced a $300,000 settlement with The NewYork-Presbyterian Hospital (NYP) for its failure to safeguard patient data. The settlement follows an investigation by the Office of the Attorney General (OAG) into the hospital’s use of tracking tools on its website that disclosed visitors’ health information to third-party tech companies.

The investigation revealed that when visitors used NYP’s website to search for doctors or book appointments, their private health information was collected and shared, breaching the Health Insurance Portability and Accountability Act (HIPAA). As part of the settlement, NYP agreed to implement new policies, ensure the deletion of protected health information, and maintain enhanced privacy safeguards.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James, who has taken similar action against several entities for data breaches, including US Radiology, Personal Touch, cloud company Blackbaud, Marymount Manhattan College, and a medical management company.

In October 2022, Attorney General James announced a $1.9 million agreement with SHEIN and Zoetop for mishandling a data breach.

NewYork-Presbyterian Hospital, with 10 hospitals across New York City and the metropolitan area, had not adequately reviewed third-party tracking tools used on its website for policy or legal violations. Between June 2016 and June 2022, NYP employed these tools for marketing purposes, inadvertently sharing user data, including health conditions, with third-party companies.

For instance, if a user searched for “spine surgery,” the URL of the search result page containing this term was shared with third parties. Some companies even received unique identifiers stored on users’ devices, potentially exposing personal details like names, email addresses, and mailing addresses.

The issue came to light in June 2022 following a report that led NYP to disable the tracking tools and conduct a forensic investigation. In March 2023, NYP reported the incident, affecting over 54,000 individuals. These individuals are not expected to receive any direct compensation for their data being breached.

Under the agreement, NYP must pay $300,000 and adopt stringent measures to prevent further data breaches. These include maintaining appropriate policies on third-party tool use, conducting regular audits and reviews, and instructing third parties to delete any received protected health information.

Leave a Comment

Click here to cancel reply.

Sunday, May 5, 2024May 5, 2024 | Clouds, 51° F