The New York Attorney General's fine on New York Presbyterian Hospital (NYP) follows a 2023 trend of crackdowns on third-party web tracking. This has shown a rise in tracking-based violations by organizations and a broader awareness of these threats to private patient data.
How does web tracking occur and why is it a HIPAA violation?
Web tracking typically occurs when websites and applications embed various tracking tools like cookies, pixel tags, or scripts to monitor and record users' online activities. These tools collect user data, including their browsing habits, preferences, and sometimes personal information. When a hospital or medical website uses these tools in the healthcare sector, it can inadvertently capture and share sensitive health information, like search queries for specific medical conditions or appointment details. This sharing of private health data with third-party tech companies, without explicit patient consent, violates HIPAA.
NYP and the $300 000 fine
The New York Attorney General, Letitia James, fined NYP $300,000 for using website tracking tools that shared private patient information with third-party tech companies. NYP’s sharing of data occurred when visitors used their website to search for doctors or book appointments, constituting a violation of HIPAA. The investigation revealed that from June 2016 to June 2022, NYP employed these tracking tools for marketing purposes, which inadvertently disclosed sensitive data, including IP addresses, personal details, and in some cases, health-related information. This breach affected over 54,000 individuals.
The rise of web tracking incidents
While distinct in their details, the cases involving NYP, Costco, Personal Touch Holding Corp, and the HPMB law firm underscore the critical challenges of data privacy and security, especially in the context of healthcare and related industries. An issue in these cases is the use of web tracking tools, as seen with NYP and Costco. This led to the unauthorized collection and sharing of sensitive health-related information, raising significant privacy concerns.
These incidents illustrate potential violations of HIPAA and highlight the broader impact of HIPAA compliance across various sectors, including retail and legal services. The legal actions and settlements ensuing from these violations, with NYP and Personal Touch Holding Corp being fined and required to improve data protection measures, and HPMB facing a similar financial penalty, demonstrate the serious repercussions of failing to safeguard sensitive data. The involvement of third-party tracking tools, presents complex risks related to data breaches. Cases like this have heightened regulatory and public focus on data security and emphasized the need for organizations to balance technological advancements with ethical data management practices.
The NY Attorney General crackdown
The New York Attorney General, Letitia James, has actively enforced measures against the misuse of third-party web tracking, as evidenced by the cases mentioned above. In the NYP case, Attorney General James imposed a $300,000 fine for the hospital’s unauthorized use of web tracking tools that compromised patient privacy. Similarly, Personal Touch Holding Corp faced a $350,000 fine due to a data breach that highlighted significant security lapses, including insufficient protection against unauthorized web tracking. In the case of HPMB, a $200,000 fine was levied for their failure to implement adequate cybersecurity measures, resulting in a data breach that exposed sensitive information.
In a statement regarding the NYP settlement for web tracking, the NY Attorney General stated: “New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised. Hospitals and medical facilities must uphold a high standard for protecting their patients' personal information and health data. NewYork-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that NewYork-Presbyterian is not negligent in protecting its patients’ information.”
Beyond these fines, all three entities were required to implement comprehensive information security programs. These programs involved regular risk assessments, the establishment of access controls, and integrating continuous monitoring systems to prevent future breaches. An aspect of these agreements is the emphasis on employee training and awareness to ensure a culture of security and compliance. The settlements have also required the encryption of personal and health information, and the development of vendor management protocols to safeguard against third-party risks.
See also: HIPAA Compliant Email: The Definitive Guide
Kirsten Peremore
