Cybersecurity

State AG Hits Hospital With $300K Fine for Web Tracker Use

Governance & Risk Management
,
Healthcare
,
HIPAA/HITECH

NewYork-Presbyterian Disabled Website, Patient Portal Trackers in 2022

State AG Hits Hospital With $300K Fine for Web Tracker Use
Image: Getty

State regulators have fined a large New York academic medical center $300,000 to settle privacy violations related to the organization’s prior use of tracking tools in its websites and patient portal. Regulators said the hospital had violated HIPAA rules in sharing patient information with third parties for marketing purposes.

See Also: JavaScript and Blockchain: Technologies You Can’t Ignore

Under the settlement announced last week by the New York state attorney general’s office, NewYork-Presbyterian Hospital has also agreed to take corrective actions including ensuring that all third parties that received patient health information through the tracking tools delete the data.

NYP, which operates 10 hospitals across the New York City area, handles more than 2 million patient visits annually. The group’s website allows individuals to schedule appointments, search for doctors and healthcare services, and research information relating to symptoms and conditions.

“We are pleased to have reached a resolution with the New York State attorney general on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority,” NYP told Information Security Media Group in a statement.

“We continually assess our data collection, data privacy and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The New York state attorney general’s office said its investigation had determined that NYP did not have appropriate internal policies or procedures for vetting third-party tracking tools, did not have business associate agreements with the technology providers, and did not review or vet third-party tracking tools for violations of policy or law prior to their deployment.

NYP in June 2016 began using tracking pixels and tags from tech vendors including Meta/Facebook, Google, TikTok, iHeartMedia and Twitter in its websites and patient portals. The tracking tools sent the third-party companies a variety of information about NYP’s website visitors, including, in some cases, details about the user’s health and medical conditions, the state regulator said.

NYP discontinued using the technologies in June 2022 following a report by investigative media site The Markup that found such tracking tools embedded in dozens of hospital and telehealth websites, including NYP.

After disabling the tools in June 2022, NYP conducted its own forensics investigation into the matter and reported the incident in March 2023 to the U.S. Department of Health and Human Services as a HIPAA breach affecting about 54,500 individuals.

NYP is one of at least a dozen entities that have filed breach reports to HHS OCR involving web tracker incidents following guidance from the federal agency in December 2022 warning covered entities and business associates that the use of online tools potentially violates the HIPAA privacy rule (see: 3 More Healthcare Entities Report Website Tracking Breaches).

HHS OCR and the Federal Trade Commission in July sent a joint warning letter to 130 hospitals, including NYP, and telehealth firms about their use of tracking tools potentially violating HIPAA and FTC regulations (see: Feds Publicly Name 130 Healthcare Firms Using Web Trackers).

The FTC has already taken enforcement actions against at least two telehealth providers – BetterHelp and GoodRx – plus mobile fertility app vendor Premom in cases involving those companies’ use of tracking tools that shared consumers’ sensitive health and personal information with third-party analytics and social media firms without patients’ consent.

While HHS OCR has also warned entities of potential HIPAA enforcement actions involving the use of trackers, the federal agency has not yet publicly disclosed any settlements or civil monetary penalties in such cases.

“OCR investigations take quite a bit of time,” said regulatory attorney Rachel Rose. For example, in a recent enforcement action by HHS OCR of its first case involving a phishing breach, it took over two years for the agency to investigate before levying fines and a corrective action plan, she said.

Meanwhile, the American Hospital Association has filed a lawsuit against HHS OCR related to the agency’s online tracking HIPAA guidance and debate over whether the identifiers collected by the tools are PHI or individually identifiable health information, “which it is in most cases,” Rose said. “It is possible that we could see an online tracking case” by HHS OCR in 2024, she said.

In the meantime, New York’s attorney general’s office appears to be the first to take an enforcement action in a HIPAA case involving the use of web trackers. Under the HITECH Act, all state attorneys general have the authority to take such actions.

The New York attorney general’s office has been especially aggressive regarding HIPAA violations during the past year, Rose said. “Given the increased focus on cybersecurity, including the New York State Department of Financial Services’ amendments to Part 500 of its cybersecurity regulations and its recent enforcement action against a radiology group for failing to implement adequate technical safeguards to protect the privacy of patient information, it is not surprising,” she said.

Looking ahead in 2024, Rose said she expects other states’ attorney general offices to jump in with more aggressive HIPAA-related activities. “It is very likely that we could see enforcement actions for two reasons: the national focus on third parties, and state breach notification law requirements to state agencies, oftentimes the statute requires reporting to the state attorney general’s office.”