NewYork-Presbyterian Hospital Privacy Investigation
NewYork-Presbyterian Hospital (“NYP”) strives to provide exceptional, personalized care that always puts our patients first. We value our patients and community members and understand that maintaining your privacy is of the utmost importance.
Recently, NYP became aware of an issue relating to its use of tracking and analytics tools on our public-facing, www.nyp.org website that may have resulted in the sharing of certain patients’ information with the developers of these tools.
Recently it has come to light that NewYork-Presbyterian Hospital's website utilizes "pixels" that track what website visitors do on their computers. These pixels are tracking everything you do once you visit their website. Not only is this an invasion of privacy, but it has come to light that the tracking technology used on the NewYork-Presbyterian website has exposed patient data to third parties. The hospital is claiming that the only information shared were:
• Patients' Names,
• Patients' Addresses,
• Patients' Email Addresses
• Patient Genders.
Affected NewYork-Presbyterian Hospital campus locations may include one of the following:
• NewYork-Presbyterian/Columbia University Irving Medical Center
• NewYork-Presbyterian/Weill Cornell Medical Center
• NewYork-Presbyterian Allen Hospital
• NewYork-Presbyterian Brooklyn Methodist Hospital
• NewYork-Presbyterian Hudson Valley Hospital
• NewYork-Presbyterian Westchester (formerly Lawrence Hospital)
• NewYork-Presbyterian Lower Manhattan Hospital
• NewYork-Presbyterian Queens
• NewYork-Presbyterian Alexandra Cohen Hospital for Women and Newborns
• NewYork-Presbyterian Komansky Children's Hospital
• NewYork-Presbyterian Morgan Stanley Children's Hospital
• Sloane Hospital for Women at NewYork-Presbyterian Morgan Stanley Children's Hospital
• NewYork-Presbyterian Westchester Behavioral Health Center
• NewYork-Presbyterian David H. Koch Center
• NewYork-Presbyterian Brooklyn Methodist Hospital Center for Community Health
NYP began using these tools from third-party service providers on www.nyp.org to understand how visitors interacted with the website. These tools allowed NYP to review website activity to streamline external communications, monitor community engagement and make it easier for patients to connect with care that they need.
NYP disabled the trackers and worked with a forensic firm to fully analyze the information these tools had collected and shared.
In January of 2023, NYP learned that certain information of patients requesting appointments or second opinions or initiating a virtual urgent care visit on www.nyp.org may have been accessed by NYP’s third-party technology service providers.
NYP then reviewed that matter further and determined that the tracking and analytics tools accessed IP addresses and the URL/website addresses of the pages visited, which may have included the provider name and specialty listed on NYP.org. In addition, certain tools were also able to access first name, last name, email address, mailing address, and/or gender if that information was entered on particular pages of the website.
Approximately 54,396 patients were affected.
NYP has not found any evidence that the trackers and analytics tools captured financial information, passwords, payment information, social security numbers or sensitive health information. The trackers and analytics tools also did not collect any protected health information from patient medical records within the NYP Connect patient portal or mobile application.
As required by law, NYP reported this incident to the Department of Health and Human Services, the Office for Civil Rights, and to the Office of the Attorney General in New York State.
Data breaches have increasingly become a cause for concern, as they can lead to long-term damage for those affected. These breaches occur when hackers infiltrate networks to steal personal information, which they may then sell on the dark web, use for identity theft, commit financial theft, or perpetrate other fraudulent activities.
A recent example of a significant data privacy violation is the 2023 Facebook class action settlement, which amounted to a staggering $725 million. This case centered around Facebook's improper sharing of user data with third parties, emphasizing the need for vigilance in protecting personal information.
Taking responsibility for and owning one's personal data is essential in today's digital age. By being proactive in safeguarding our personally identifiable information, we can minimize the risk of falling victim to data breaches and the consequences that come with them. This includes using strong, unique passwords, being cautious about sharing personal information online,
If you were a patient at a NewYork-Presbyterian campus location, your personally identifiable or protected health information may have been leaked to hackers.