HIPAA Breach News

Class Action Lawsuits Filed Over HealthEC Data Breach

Posted by Steve Alder

January 12, 2024: Class Action Lawsuits Filed Over HealthEC Data Breach

Multiple class action lawsuits have been filed against HealthEC LLC over a recently disclosed data breach that affected almost 4.5 million individuals. Hackers gained access to HealthEC’s population health management platform between July 14, and July 23, 2024, and obtained the sensitive data of patients of its healthcare provider clients, per The HIPAA Journal report below.

One of the class action lawsuits – Victoria Lempinen v. Health EC LLC – was filed in the U.S. District Court of New Jersey on behalf of Victoria Lempinen and similarly situated individuals who had their personal and protected health information compromised in the data breach.  The lawsuit alleges that HealthEC lost control of the sensitive data of almost 4.5 million individuals as a direct result of the failure to maintain reasonable and appropriate cybersecurity protocols and the lack of encryption of sensitive data on its network. The security failures are alleged to violate the FTC Act and Health Insurance Portability and Accountability Act (HIPAA). Further, the plaintiff argues that HealthEC did not have policies and procedures in place to ensure that sensitive data was deleted in a timely manner when it was no longer needed.

In addition to suffering a preventable data breach, HealthEC is alleged to have unnecessarily delayed issuing notifications, which were issued in December 2023, more than 5 months after the data breach occurred. This, it is argued, denied the opportunity for victims of the breach to take steps to protect themselves against identity theft and fraud. When notification letters were issued, the lawsuit alleges HealthEC failed to disclose important details about the breach, such as when the cyberattack and data breach were first detected, the dates of the investigation, the vulnerabilities that were exploited by the hackers, and the measures undertaken in response to the cyberattack to ensure that similar breaches are prevented in the future.

The lawsuit claims the plaintiff and class have suffered injuries including invasion of privacy, theft of private information, loss or diminished value of private information, lost time and opportunity costs, loss of benefit of the bargain, and an increase in spam calls, texts, and emails, and the plaintiff and class members now face an increased risk of identity theft and fraud. The 75-page lawsuit alleges negligence, breach of third-party beneficiary contract, breach of confidence, invasion of privacy, and unjust enrichment and seeks class action certification, a jury trial, and damages, restitution, and injunctive relief, including an order from the court to compel HealthEC to implement a raft of measures to improve data security. The plaintiffs and class are represented by Vicki J.  Maniatis and Gary M. Klinger of Millberg Coleman Bryson Phillips Grossman LLC.

A second lawsuit was filed against HealthEC LLC on behalf of plaintiff Bree Marano and similarly situated individuals that makes similar claims, including the failure to comply with FTC guidelines, industry standards, and HIPAA. Those failures include inadequate cybersecurity measures given the level or risk of a cyberattack, insufficient monitoring of its network for intrusions, and the failure to issue adequate and timely individual notifications about the data breach. The lawsuit alleges negligence, breach of implied contract, unjust enrichment, and breach of confidence, and claims the defendant has done absolutely nothing of value to provide the plaintiff and class with relief for the damages they have suffered as a result of the data breach.

January 3, 2024: HealthEC Data Breach Affects Almost 4.5 Million Individuals

HealthEC, an Edison, New Jersey-based analytics software vendor, has recently confirmed that the protected health information of 4,452,782 individuals has been exposed and potentially stolen in a recent cyberattack. HealthEC is the developer of a platform that healthcare organizations use to identify high-risk patients, close care gaps, and recognize barriers to optimal care. More than 1 million healthcare professionals in 18 U.S. states use the platform’s analytics to gain insights to improve patient outcomes.

HealthEC started mailing data breach notification letters to the affected individuals on December 22, 2023; however, the data breach occurred several months earlier. According to the notification letters, unauthorized individuals had access to HealthEC’s systems between July 14, 2023, and July 23, 2023. The forensic investigation revealed that during that time, files were removed.

HealthEC conducted a review of the affected files and determined that they contained the protected health information of its clients’ patients. HealthEC started notifying the affected clients on October 26, 2023, which included MD Valuecare in Virginia (112,005 records)  and Corewell Health in Michigan (1 million+ records). On December 21, 2023, the breach was reported to the Department of Health and Human Services’ Office for Civil Rights as affecting 4.52 million individuals.

The information compromised in the attack varied from patient to patient and may have included names along with one or more of the following: address, date of birth, Social Security number, medical record number, diagnosis and diagnosis codes, mental/physical condition, prescription information, provider name, beneficiary number, subscriber number, Medicaid/Medicare identification number, patient account number, patient identification number, and treatment cost information. HealthEC is offering the affected individuals complimentary credit monitoring services and has taken steps to improve security to prevent further data breaches in the future.

HealthEC is the second vendor to experience a data breach that has affected more than 1 million Corewell Health patients this year. Michigan Attorney General, Dana Nassel, has called for new legislation to be introduced in the state mandating prompt notifications in the event of a data breach, as in each case, Michiganians had to wait several months to discover that their sensitive health data had been stolen.

Entities Impacted by HealthEC Data Breach

The entities known to have been affected by the HealthEC data breach, as disclosed by HEalthEC on December 22, 2023 are:

  • Alliance for Integrated Care of New York, LLC
  • Advantage Care Diagnostic & Treatment Center, Inc.
  • Beaumont ACO
  • Community Health Care Systems
  • Compassion Health Care
  • Corewell Health
  • East Georgia Healthcare Center
  • HonorHealth
  • Hudson Valley Regional Community Health Centers
  • Illinois Health Practice Alliance, LLC
  • KidneyLink
  • Long Island Select Healthcare
  • Metro Community Health Centers
  • Mid Florida Hematology & Oncology Centers, P.A, d/b/a Mid-Florida Cancer Centers
  • TennCare
  • State of Tennessee
  • University Medical Center of Princeton Physicians’ Organization
  • Upstate Family Health Center, Inc.

The post Class Action Lawsuits Filed Over HealthEC Data Breach appeared first on HIPAA Journal.

Michigan Attorney General Calls for New Data Breach Notification Law

Posted by Steve Alder

Michigan Attorney General Dana Nessel has called for legislative changes to hold companies in the state more accountable for data breaches after Corewell Health failed to disclose a data breach promptly. Corewell Health has been affected by two massive data breaches this year, both of which occurred at vendors and affected more than a million Corewell Health patients. The first breach occurred at Corewell Health vendor Welltok, which had data stolen in May when the Clop hacking group exploited a vulnerability in Progress Software’s MOVEit Transfer solution. Corewell Health patients were notified about the breach on December 1, 2023, more than 6 months after the breach occurred.

Michigan Attorney General, Dana Nessel

AG Nessel’s comments came in response to a second such breach, which occurred at HealthEC, a vendor used by Corewell Health for analyzing patient data. HealthEC discovered the breach in July 2023 and notified Corewell Health in October that the data of its patients had been compromised. AG Nessel explained that the department in the state that is responsible for consumer protection did not hear about the breach until December 27, 2023, more than 5 months after the breach was detected.

It often takes several months for individual data breach notification letters to be issued, but when sensitive data is stolen it can be misused immediately. Individuals need to know that their data has been stolen quickly so they can take steps to protect themselves against identity theft and fraud. In both cases, complimentary credit monitoring and identity theft protection services have been offered but some of the affected individuals have already fallen victim to identity theft and fraud. Had those individuals been made aware of the breaches sooner, losses could have been prevented. Nessel is advocating for legislation that requires companies to notify the state immediately when a data breach is discovered.

Currently, 34 U.S. states have laws that require the state Attorney General or state agencies to be issued with timely notifications about data breaches that exceed certain thresholds, but there are no such requirements in Michigan. Without mandatory data breach reporting to improve transparency, there is little the state can do regarding enforcement.

“What we would like to be able to do is to say, ‘You know, look, if you don’t properly secure and store data, or if you don’t report a data breach, you’re going to be subjected to significant fines.’ That’s what they do in other states, but not here in Michigan,” said Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection.”

Regarding data security failures that result in data breaches, Michigan could take action and fine companies that are discovered to have violated the Health Insurance Portability and Accountability Act. Several state Attorneys General have imposed financial penalties for HIPAA violations, including Connecticut, Indiana, Massachusetts, Minnesota, New York, and New Jersey.

The post Michigan Attorney General Calls for New Data Breach Notification Law appeared first on HIPAA Journal.

Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach

Posted by Steve Alder

Transformative Healthcare is facing legal action over a recently disclosed data breach that affected 911,757 patients of the Fallon Ambulance Service. The lawsuit also names Coastal Medical Transportation Systems, LLC, as a defendant. Coastal Medical Transportation Systems acquired Fallon Ambulance Services in September 2022, although the data breached was an archive copy of data from before the acquisition.

The lawsuit – Daniel Durgin v. Transformative Healthcare, LLC, and Coastal Medical Transportation Systems, LLC – was filed in the U.S. District Court for the District of Massachusetts on January 18, 2023, on behalf of Daniel Durgin, who received emergency medical transportation from the Fallon Ambulance Service before it ceased operations in December 2022. The lawsuit alleges the defendants should have known how to keep sensitive data protected, yet failed to implement reasonable and appropriate cybersecurity measures and comply with industry security standards, which allowed hackers to gain access to the plaintiff’s and class members’ sensitive data.

The lawsuit claims the plaintiff and class have incurred costs and expenses associated with the time spent mitigating the consequences of the data breach, including checking credit reports for signs of misuse of their data, purchasing credit monitoring services, and having to deal with withdrawal and purchase limits on their accounts, as well as the loss of property value of their personal information, and stress, nuisance, and aggravation of having to deal with the issues caused by the data breach.

The plaintiff and class asset claims of negligence, breach of implied contract, unjust enrichment/quasi-contract, and breach of fiduciary duty. The lawsuit seeks class-action status, a jury trial, monetary and statutory damages, and injunctive relief.

The plaintiff and class are represented by David Pastor of Pastor Law Office, PC, and Nicholas A. Migliaccio and Jason Rathod of Migliaccio & Rathod LLP.

January 2, 2024: More Than 911,000 Individuals Affected by Fallon Ambulance Service Data Breach

Legal counsel for Transformative Healthcare, a Newton MA-based medical, transportation & logistics company, has notified the HHS’ Office for Civil Rights about a data breach that has affected 911,757 individuals. The data breach affected individuals who had previously received services from the Fallon Ambulance Service, the Massachusetts medical transportation arm of Transformative Healthcare. Fallon responded to patient emergencies in the greater Boston area and provided administrative services for affiliated medical transportation companies.

In September 2022, Fallon Ambulance Service was acquired by Coastal Medical Transportation Systems and ceased business operations in December 2022. In order to comply with legal data retention requirements, Transformative Healthcare retained an archived copy of data that was previously stored on Fallon’s computer systems. On or around April 21, 2023, Transformative Healthcare detected unauthorized activity in its archive environment. Prompt action was taken to prevent further unauthorized access and an investigation was launched to determine the extent of the breach. The forensic investigation confirmed that an unauthorized third party gained access to the archive on February 17, 2023, and retained access to the archive environment until April 22, 2023. During that time, files were copied from the archive.2

The affected files were reviewed and that process was completed on December 27, 2023, when it was confirmed that the files contained names, addresses, Social Security numbers, medical information including COVID-19 testing/ vaccination information, and information provided to Fallon in connection with employment or application for employment.

While data was removed from the archive, neither Fallon nor Transformative Healthcare have found any evidence to indicate misuse of the data. Affected patients were notified by mail on December 27, 2023, and credit monitoring and identity theft protection services are being offered to the affected individuals.

The post Transformative Healthcare Sued Over Fallon Ambulances Service Data Breach appeared first on HIPAA Journal.

Anna Jaques Hospital Suffers Christmas Day Cyberattack

Posted by Steve Alder

Anna Jaques Hospital in Newburyport, MA, experienced a cyberattack on Christmas Day that resulted in an outage of its medical record system. The decision was taken to divert ambulances to other hospitals in the area until systems could be restored. On December 26, 2023, the emergency department started accepting patients. Few details have been released at this stage about the exact nature of the cyberattack and it is too early to tell if the attackers gained access to patient information. Third-party cybersecurity experts have been engaged and are investigating the attack and further information will be released as the investigation progresses.

Volunteer at NYC Health + Hospitals Impermissibly Accessed Patient Data

NYC Health + Hospitals has recently announced there has been an unauthorized disclosure of patients’ protected health information. NYC Health + Hospitals said it discovered on October 23, 2023, that an employee of NYC Health + Hospitals/Kings County allowed a Kings County volunteer to assist with processing laboratory test specimens for Kings County patients; however, the volunteer was not authorized to work in the laboratory and was not permitted to access patients’ protected health information.

While assisting in the laboratory, the volunteer accessed patients’ names, dates of birth, medical record numbers, locations within the hospital, and the laboratory tests ordered. Affected individuals had laboratory tests performed between October 2, 2021, and August 14, 2023. While PHI was impermissibly accessed, there are no indications that any of that information has been misused.

NYC Health + Hospitals said it has taken steps to prevent similar incidents from occurring in the future, including notifying all laboratory personnel that they are not permitted to provide non-employees with access to any NYC Health + Hospitals laboratories. NYC Health + Hospitals has also confirmed that the employee no longer works for NYC Health + Hospitals and has been barred from future employment at NYC Health + Hospitals, and the volunteer is no longer volunteering at NYC Health + Hospitals and has been barred from future volunteer work at NYC Health + Hospitals.

The incident has not yet appeared on the HHS’ Office for Civil Rights breach portal so it is currently unclear how many individuals have been affected.

The post Anna Jaques Hospital Suffers Christmas Day Cyberattack appeared first on HIPAA Journal.

ProSmile Holdings Notifies Patients About July 2022 Data Breach

Posted by Steve Alder

ProSmile Holdings, LLC, a New Jersey dental service organization, started notifying patients on December 22, 2023, about a breach of its email environment. Suspicious activity was detected in July 2022, and a third-party cybersecurity company was engaged to investigate the unauthorized activity and determine if any sensitive data had been exposed or compromised. ProSmile Holdings was notified on December 1, 2022, that numerous email accounts had been compromised and accessed without authorization, and personal and protected health information may have been accessed or acquired.

On January 27, 2023, ProSmile Holdings engaged a vendor to conduct a review of the affected files, and the review was completed on November 29, 2023. The compromised information included names, dates of birth, Social Security numbers, driver’s license or other state identification card numbers, financial account numbers, payment card numbers, medical treatment information, diagnosis or clinical information, provider information, prescription information, and health insurance information.

ProSmile Holdings made an announcement about the data breach on March 28, 2023, but was unable to confirm at that time how many individuals had been affected or what data had been exposed. The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

It is also unclear why it took 5 months to discover that patient data was involved, a further two months to initiate a document review, and 10 months to complete that review. The first announcement about the breach was not made for 7 months, and it has taken 17 months for individual notifications to be issued.

Valley Health System Affected by Data Breach at ESO Solutions

Valley Health System in Las Vegas has confirmed that it was affected by a ransomware attack and data breach at its software vendor, ESO Solutions, in late September. ESO notified Valley Health System about the breach in late October and confirmed that patient names, phone numbers, addresses, and some personal or health information were compromised. The breach has affected 5 Valley Health System hospitals: Centennial Hills Hospital, Desert Springs Hospital, Spring Valley Hospital, Summerlin Hospital, and Valley Hospital. The affected individuals were notified about the breach on December 12, 2023.

The post ProSmile Holdings Notifies Patients About July 2022 Data Breach appeared first on HIPAA Journal.

Pan-American Life Insurance Group Reports 105,000-Record Data Breach

Posted by Steve Alder

Pan-American Life Insurance Group, Inc. (PALIG) has recently confirmed that it was one of the victims of the Clop hacking group, which exploited a zero-day vulnerability in Progress Software’s MOVEit Transfer file transfer solution in late May 2023.

PALIG was notified about the vulnerability by Progress Software and immediately disabled to software until the patch could be applied. The patch was applied, and steps were taken to improve the security of its systems. At the same time, an investigation was launched to determine if the vulnerability had been exploited, and that proved to be the case. On October 5, 2023, PALIG determined that files had been removed from the MOVEit server that contained the protected health information of 105,387 individuals, including names, addresses, Social Security numbers, dates of birth, driver’s license numbers, contact information, medical and medical benefits information, subscriber numbers, certain biometric data, and financial account and credit card information.

PALIG has now notified those individuals and has offered complimentary credit monitoring services. PALIG has also confirmed that steps have been taken to further improve security and ensure the security of third-party transfer tools.

Bellin Health Notifies Patients About October Cyberattack

Bellin Health has recently announced that an unauthorized third party gained access to its internal systems and may have viewed or acquired the information of patients who purchased home care equipment between 2006 and 2013. Unauthorized activity was detected within its computer systems on October 27, 2023. Its IT security team immediately took steps to contain the activity and launched an investigation to determine the nature and scope of the unauthorized activity.

Assisted by third-party cybersecurity experts, Bellin Health determined that a cyber actor gained access to a folder containing archived scanned documents that contained patient names in combination with one or more of the following: address, phone number, date of birth, and/or health information related to home care equipment. A limited number of documents also included Social Security numbers.

Bellin Health said it has strengthened system security and will continue investing in cybersecurity. The breach was reported to the HHS’ Office for Civil Rights as affecting 20,790 individuals. Patients whose Social Security numbers were exposed have been offered complimentary credit monitoring and identity theft protection services.

Clay County, Minnesota Suffered a Ransomware Attack in October

Clay County in Minnesota announced on December 22, 2023, that it fell victim to a ransomware attack in October. The unauthorized activity was detected in its electronic document management system on October 27, 2023, and the forensic investigation revealed there had been unauthorized access between October 23, 2023, and October 26, 2023, when ransomware was used to encrypt files.

The investigation confirmed that access had been gained to names in combination with one or more of the following: address, date of birth, Social Security number, information regarding services provided by Clay County Social Services (locations of service, dates of service, client identification number or unique identifier), insurance identification number, and insurance or billing information.

Clay County officials confirmed that they have taken several steps to improve security, including implementing multifactor authentication for remote access to the compromised CaseWorks application, updating procedures for external access by vendors, implementing tools to enhance detection and accelerate the response to cyber incidents, and implementing enhanced technical security measures for the CaseWorks application.

The incident is not yet showing on the HHS’ Office for Civil Rights breach portal, so it is currently unclear how many individuals have been affected.

The post Pan-American Life Insurance Group Reports 105,000-Record Data Breach appeared first on HIPAA Journal.

Retina Group of Washington Data Breach Affects 456,000 Patients

Posted by Steve Alder

Almost 456,000 individuals have been affected by a Retina Group of Washington data breach and have started receiving notifications, 9 months after the breach occurred.

On December 22, 2023, Retina Group of Washington, PLLC, filed a breach report with the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) that involved the protected health information of 455,935 individuals. Notification letters started to be mailed the same day.

According to the notification letters, Retina Group of Washington started experiencing difficulty accessing information on some of its systems on March 26, 2023. An investigation was launched, and the Federal Bureau of Investigation (FBI) was notified, and it was determined that the file access problems were due to a cyberattack.

Retina Group of Washington did not state the cause of the cyberattack but the wording of the letters suggests this was a ransomware attack. In the notification letters, Retina Group of Washington said the investigation into the cyberattack is still ongoing, but it has been confirmed that patient data was stolen in the attack.

The types of information involved include names, addresses, telephone numbers, email addresses, dates of birth, demographic information, Social Security numbers, Driver’s license numbers, medical record numbers, health information, payment information, and health insurance information.

Retina Group of Washington said it has not identified any attempted or actual misuse of patient data and will continue to implement additional procedures and security measures to strengthen the security of its systems.

Based on the breach notifications, it does not appear that credit monitoring and identity theft protection services are being offered. Affected patients have been told to “remain vigilant against incidents of identity theft and fraud, to review their account and explanation of benefits statements, and to monitor their free credit reports for suspicious activity and to detect errors.” Retina Group of Washington also suggests placing a credit freeze on accounts.

The post Retina Group of Washington Data Breach Affects 456,000 Patients appeared first on HIPAA Journal.

Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach

Posted by Steve Alder

More than half a dozen lawsuits have been filed against the Fred Hutchinson Cancer Center over a cyberattack and data breach that occurred over the Thanksgiving weekend. Unauthorized individuals gained access to its network where patient data was stored and removed files containing names, contact information, medical information, and Social Security numbers. The Hunters International hacking group claimed responsibility for the attack, and when the Fred Hutchinson Cancer Center refused to pay the ransom demand, they turned their attention to patients and started contacting them directly demanding payment of $50 to have their stolen data deleted. The hacking group claimed to have stolen the data of 800,000 patients.

Class action lawsuits are commonly filed after large data breaches, and it was inevitable that the affected individuals would take legal action given that they had been directly threatened by the individuals behind the attack. The lawsuits make similar claims, and it is therefore likely that they will be consolidated into a single class action lawsuit. The most common claims are that the Fred Hutchinson Cancer Center was negligent by failing to implement reasonable and appropriate safeguards to protect its internal networks and patient data against unauthorized access and that the breach occurred as a result of those security failures.

One of the lawsuits – Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – was filed in the Superior Court of the State of Washington in King County, and claims that the plaintiffs believed that the defendants had implemented and maintained reasonable and appropriate security practices due to the representations of the defendants, when that was not the case. Both of the named plaintiffs claim they first learned about the data breach when they were contacted directly by the hackers and threatened with the public release/sale of their sensitive data. They claim that the Fred Hutchinson Cancer Center failed to issue prompt notifications to allow them to take steps to protect themselves against identity theft and fraud.

The lawsuit claims the plaintiffs and class members now face grave and lasting consequences from the attack and have suffered injury and damages including a substantial and imminent risk of identity theft and medical identity theft, loss of confidentiality of highly sensitive PII/PHI, deprivation of the value of PII/PHI, and overpayment for services that did not include adequate data security, and other harms. In addition to negligence, the lawsuit alleges negligence per se, breach of fiduciary duty, breach of implied contract, unjust enrichment, and a violation of the Washington Consumer Protection Act. The lawsuit seeks a jury trial and actual, statutory, and punitive damages, restitution, disgorgement, and nominal damages, and equitable, injunctive, and declaratory relief. Another lawsuit, Shawna Arneson v. Fred Hutchinson Cancer Center, was filed in the same court and makes similar claims, and alleges the actions of Fred Hutchinson Cancer Center violated HIPAA.

A third lawsuit – Doe v. Fred Hutchinson Cancer Center et al – was filed in the US District Court for the Western District of Washington by John Doe, the father of Jack Doe, and similarly situated individuals. Other defendants named in the lawsuit include UW School of Medicine, UW Medical Center, Harborview Medical Center, Valley Medical Center, UW Physicians, UW Neighborhood Clinics (dba UW Medicine Primary Care), Airlift Northwest, and Children’s University Medical Group.

Jack Doe received healthcare services from UW Medicine but was never a patient of the Fred Hutchinson Cancer Center; however, his data was shared with the Fred Hutchinson Cancer Center as both health systems work together to advance cancer research. The lawsuit alleges that the defendants failed to implement appropriate cybersecurity measures and failed to protect patients from “a flood of extortionary threats by cybercriminals.” The lawsuit alleges long-standing security failures, as the Fred Hutchinson Cancer Center also failed to prevent a breach of an employee email account in March 2022. The lawsuit seeks a jury trial and an award of damages, relief, and restitution.

Fred Hutchinson Cancer Center Data Breach Lawsuits

  • Alexander Irvine and Barbara Twaddell v. Fred Hutchinson Cancer Center and University of Washington – The plaintiffs are represented by Alexander F. Strong of Stobaugh & Strong P.C., Ben Barnow, Anthony L. Parkhill, and Riley W. Prince of Barnow and Associates.
  • Doe v. Fred Hutchinson Cancer Center et al – The plaintiffs and class are represented by Turke & Strauss LLP.
  • Shawna Arneson v. Fred Hutchinson Cancer Center – The plaintiffs are represented by Kim D. Stephens & Cecily C. Jordan of Tousley Brain Stephens PLLC.

The post Fred Hutchinson Cancer Center Lawsuits Mount After Cyberattack and Data Breach appeared first on HIPAA Journal.

Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations.  NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received.  The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.