Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital

Posted by Steve Alder

New York Presbyterian Hospital has agreed to settle alleged violations of the Health Insurance Portability and Accountability Act (HIPAA) Privacy Rule with the New York Attorney General and will pay a financial penalty of $300,000.

NYP operates 10 hospitals in New York City and the surrounding metropolitan area and serves approximately 2 million patients a year. In June 2016, NYP added tracking pixels and tags to its nyp.org website to track visitors for marketing purposes. In early June 2022, NYP was contacted by a journalist from The Markup and was informed that these tools were capable of transmitting sensitive information to the third-party providers of the tools, including information classified as protected health information under HIPAA.

On June 16, 2023, The Markup published an article about the use of these tools by NYP and other U.S. hospitals, by which time NYP had already taken steps to remove the tools from its website and had initiated a forensic investigation to determine the extent of any privacy violations.  NYP determined that PHI had potentially been impermissibly disclosed and reported the breach to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) on March 20, 2023, as involving the protected health information (PHI) of up to 54,396 individuals.

NY Attorney General Launches HIPAA Investigation

NY Attorney General, Letitia James opened an investigation of NYP in response to the reported breach to determine whether NYP had violated HIPAA and New York laws. The investigation confirmed that NYP had added several tracking tools to its website that were provided by third parties such as Bing, Google, Meta/Facebook, iHeartMedia, TikTok, The Trade Desk, and Twitter. These tools were configured to trigger on certain user events on its website. Most were configured to send information when a webpage loaded, and some sent information in response to clicks on certain links, the transmission of forms, and searches conducted on the site. The snippets of information sent to third parties included information about the user’s interactions on the website, including the user’s IP address, URLs visited, and searches. The tools provided by Google, Meta, and the Trade Desk also received unique identifiers that had been stored in cookies on the user’s devices.

Meta/Facebook also received information such as first and last name, email address, mailing address, and gender information, if that information was entered on a webpage where the Meta pixel was present. In some cases, the information sent to third parties included health information, such as if the user researched health information, performed a search for a specialist doctor, or scheduled an appointment. Certain URLs also revealed information about a specific health condition.

The tracking tools from Meta, Google, and the Trade Desk were used to serve previous website visitors with targeted advertisements based on their previous interactions on the website. NYP and its digital marketing vendor also used Meta pixel data to categorize website visitors based on the pages they visited and used Meta pixel to serve advertisements to other individuals with similar characteristics, known as “lookalike audiences.” For example, NYP identified individuals who visited webpages related to prostate cancer, and those individuals were then served targeted advertisements on other third-party websites related to prostate cancer.

Commonly Used Website Tracking Tools Violate HIPAA

These tracking tools are widely used by businesses of all types and sizes for marketing, advertising, and data collection purposes; however, in contrast to most businesses with an online presence, hospitals are HIPAA-covered entities and are required by federal law to ensure the privacy of personal and health information. As confirmed by the HHS’ Office for Civil Rights in December 2022 guidance, third-party tools that are capable of collecting and transmitting PHI may only be used if there is a business associate agreement (BAA) in place and the disclosure of PHI is permitted by HIPAA or if HIPAA-compliant authorizations have been obtained from patients. NYP, like many other HIPAA-covered entities that used these tools, had no BAAs in place with the tracking tool vendors and did not obtain consent from patients to disclose their PHI to those vendors.

The New York Attorney General determined that while NYP had policies and procedures relating to HIPAA compliance and patient privacy, they did not include appropriate policies and procedures for vetting third-party tracking tools. The New York Attorney General determined that the use of these tools violated § 164.502(a) of the HIPAA Privacy Rule, which prohibits disclosure of PHI, and § 164.530(c) and (i), which requires administrative, technical, and physical safeguards to protect the privacy of PHI and policies and procedures to comply with those requirements. NYP was also found to have violated New York Executive Law § 63 (12), by misrepresenting the manner and extent to which it protects the privacy, security, and confidentiality of PHI.

Settlement Agreed to Resolve Alleged Violations of HIPAA and State Laws

NYP fully cooperated with the investigation and chose to settle the alleged violations with no admission or denial of the findings of the investigation. In addition to the financial penalty, NYP has agreed to comply with Executive Law § 63 (12), General Business Law § 899-aa, and the HIPAA Privacy Rule Part 164 Subparts E and the HIPAA Breach Notification Rule 45 C.F.R. Part 164 Subpart D concerning the collection, use, and maintenance of PHI. NYP is also required to contact all third parties that have been sent PHI and request that information be deleted and NYP has agreed to conduct regular audits, reviews, and tests of third-party tools before deploying them to an NYP website or app, and conduct regular reviews of the contracts, privacy policies, and terms of use associated with third-party tools.

NYP is also required to clearly disclose on all websites, mobile applications, and other online services it owns or operates, all third parties that receive PHI as the result of a pixel, tag, or other online tool, and provide a clear description of the PHI that is received.  The notice must be placed on all unauthenticated web pages that allow individuals to search for doctors or schedule appointments, as well as any webpage that addresses specific symptoms or health conditions.

OCR’s guidance on tracking technologies is being challenged in court due to doubts about whether the types of information collected by tracking tools fall under the HIPAA definition of PHI. The requirements of the settlement concerning the use of tracking technologies and the restrictions imposed will remain in effect until the relevant sections of OCR’s guidance are amended, superseded, withdrawn, revoked, supplanted by successive guidance, or temporarily or permanently enjoined and/or rejected by a court ruling applicable to HIPAA-covered entities in New York.

“New Yorkers searching for a doctor or medical help should be able to do so without their private information being compromised,” said Attorney General James. “Hospitals and medical facilities must uphold a high standard for protecting their patients’ personal information and health data. New York-Presbyterian failed to handle its patients’ health information with care, and as a result, tech companies gained access to people’s data. Today’s agreement will ensure that New York-Presbyterian is not negligent in protecting its patients’ information.”

A spokesperson for NYP responded to the resolution of the investigation and provided the following statement, “We are pleased to have reached a resolution with the New York State Attorney General on this matter. The privacy and security of our patients’ health information is of paramount importance, and the protection of this confidential information remains a top priority. We continually assess our data collection, data privacy, and digital monitoring tools and practices so that they meet or exceed the highest standards.”

The post Website Pixel Use Leads to $300K Fine for New York Presbyterian Hospital appeared first on HIPAA Journal.

$30 Million Settlement Agreed to Resolve Integris Health Class Action Data Breach Lawsuit

Posted by Steve Alder

Integris Health has agreed to pay $30 million to settle class action data breach litigation. The settlement resolves claims stemming from a major data breach in 2023 that saw hackers gain access to systems containing the electronic protected health information of more than 2.38 million individuals.

Integris Health, one of the largest health systems in Oklahoma, first announced the cyberattack and data breach in December 2023. Hackers gained access to its computer network on November 28, 2023, and exfiltrated files containing patient data. The threat actor did not encrypt files but demanded payment to prevent the release of the stolen data. On December 24, 2025, Integris Health started to be contacted by patients who had been contacted directly by the threat actor, who was demanding $50 per patient to delete their stolen data.

The HHS’ Office for Civil Rights was notified about the data breach in February 2024 and was told that the protected health information of 2,385,646 individuals was compromised in the attack. The stolen data included names, contact information, birth dates, demographic information, and Social Security numbers. Several class action lawsuits were filed in response to the data breach, which were consolidated into a single lawsuit – Bointy, et al. v. Integris Health, Inc. – as the lawsuits had overlapping claims and were based on the same facts.  In total, ten class action lawsuits were filed in the District Court of Oklahoma County, and a further eleven were filed in the U.S. District Court for the Western District of Oklahoma.

The consolidated lawsuit was filed in the District Court of Oklahoma County and alleged that Integris Health had failed to implement reasonable and appropriate safeguards to protect the data stored on its network. In contrast to the OCR breach portal, the lawsuit claimed the protected health information of 2,426,868 individuals was compromised in the incident, including 255,647 minors.

Integris Health claimed that business associate Tech Mahindra, LLC, was to blame for the breach, as it was caused by its failure to maintain reasonable and appropriate cybersecurity measures. Tech Mahindra filed a motion to compel arbitration and dismiss the lawsuit, and Integris Health voluntarily dismissed Tech Mahindra from the litigation. Integris Health maintains there was no wrongdoing and is no liability and denies all material allegations made by the plaintiffs; however, the decision was taken to settle the lawsuit to avoid the cost, risk, and uncertainty of continuing with the litigation. Following settlement discussions between Integris Health and legal counsel for the plaintiffs, a suitable settlement was agreed upon, which has now received preliminary approval from the court.

The settlement provides substantial benefits for the class members. Integris Health has agreed to establish a $30 million settlement fund to cover attorneys’ fees and expenses, service awards for class representatives, settlement administration costs, and benefits for the class members. Benefits will be paid from the remainder of the settlement fund after all costs have been deducted.

All class members are entitled to claim three years of credit monitoring services, which include a $1 million identity theft insurance policy. In addition, class members may claim one of two cash payments. Claims may be submitted for reimbursement of documented, unreimbursed losses due to the data breach up to a maximum of $25,000 per class member. Alternatively, a claim may be submitted for a cash payment, which is estimated to be $100 per class member, but will be adjusted pro rata upward or downward depending on the number of valid claims received. The cash payments will exhaust the settlement fund.

Individuals wishing to object to or exclude themselves from the settlement must do so by December 21, 2025. Claims must be submitted by December 22, 2025, and the final approval hearing has been scheduled for December 16, 2025.

February 13, 2025: Integris Health Confirms 2.39 Million Individuals Affected by Cyberattack

Integris Health has completed the review of the files that were accessed/stolen in its November 2023 cyberattack and has reported the incident to the Department of Health and Human Services (HHS) Office for Civil Rights (OCR) as affecting 2,385,646 individuals. The HIPAA breach notices explain that the information stolen in the cyberattack varies from individual to individual and includes names in combination with one or more of the following: date of birth, contact information, demographic information, and/or Social Security number. Integris Health’s investigation confirmed that employment information, driver’s licenses, financial/payment information, and usernames/passwords were not accessed or stolen. Integris Health said it has reviewed and enhanced existing policies and procedures to reduce the likelihood of a similar future incident.

The lawsuits against Integris Health are mounting. One of the latest, Johnston v. Integris Health Inc., was filed in the U.S. District Court for the Western District of Oklahoma and names Teresa Johnson as lead plaintiff. The lawsuit alleges negligence for failing to implement reasonable and appropriate safeguards and seeks compensatory damages, punitive damages, nominal damages, restitution, injunctive and declaratory relief, and attorney fees and costs. The class action lawsuits make similar claims and and are based on the same facts, so they are likely to be consolidated into a single lawsuit.

Jan 4, 2024: Integris Health Facing Multiple Class Action Lawsuits Over Cyberattack & Data Breach

Several class action lawsuits have been filed against Integris Health over its recent cyberattack and data breach. While Integris Health has yet to confirm how many individuals have been affected, the threat actor behind the attack claims to have obtained the data of around 2 million patients and emailed those patients directly on December 24, 2023, demanding payment after Integris Health refused to pay the ransom.

One of the lawsuits – Zinck et al v. Integris Health Inc. – was filed by William Federman of the law firm Federman & Sherman in the U.S. District Court for the Western District of Oklahoma on behalf of plaintiff Aaron Zinck and similarly situated individuals. The lawsuit alleges that Integris Health failed to implement reasonable and appropriate security measures to protect patient data, despite being aware of a high risk of ransomware and other cyberattacks on hospitals.

Federman criticized Integris Health for the lack of transparency about the cyberattack and data breach, claiming Integris Health did not make any announcement about the attack until after patients were contacted directly by the hackers. Integris Health explained in its notification to patients that the threat actor gained access to its systems on November 28, 2023. Federman alleges Integris Health withheld important information that could have allowed the plaintiff and class members to take action to secure their identities and protect against fraud. While it is typical for healthcare organizations to offer complimentary credit monitoring and identity theft protection services when sensitive data is known to have been stolen, those services do not appear to have been offered.

The lawsuit seeks a jury trial, an award of damages, and attorney’s fees. Several other lawsuits have also been filed in the past few days that make similar claims, including Joseph E Bointy v. Integris Health, Gregory Leeb v. Integris Health, and Civi et al v. Integris Health Inc.

December 27, 2023 – Integris Health Patients Contacted Directly by Threat Actors After Cyberattack

Integris Health, the largest not-for-profit Oklahoma-owned health system in the state, has confirmed that its internal systems have been compromised in a cyberattack and an unauthorized third party obtained patient data. Integris Health operates 15 hospitals in Oklahoma and many specialty clinics, family care practices, and centers of excellence. Integris Health uploaded a notice to its website on December 24, 2023, about a data privacy incident. According to Integris Health, suspicious activity was detected within its IT systems, and immediate action was taken to prevent further unauthorized access. An investigation was launched to determine the nature and scope of the breach, which revealed that the unauthorized access started on November 28, 2023. The unauthorized actor exfiltrated sensitive data from Integris Health’s systems but did not encrypt files.

Integris Health has conducted a review of the affected files and has confirmed that the compromised information includes names, dates of birth, contact information, demographic information, and Social Security numbers. Integris Health said health information, financial information, driver’s licenses, and usernames/passwords were not stolen. On December 24, 2023, Integris Health started to be contacted by some of its patients after they received communications from a group that claimed responsibility for the cyberattack. The threat group explained in the communications with patients that they had obtained names, dates of birth, SSNs, addresses, phone numbers, insurance information, and employer information, and that they would be selling the data on the dark web to be used for fraud and identity theft. Patients were told they could prevent the sale of their data by making a payment before January 5, 2024; otherwise, the entire database will be sold to a data broker. The communications with patients include a sample of the stolen data as proof, which some patients have confirmed is genuine.

The threat actor claims to have obtained the protected health information of more than 2 million Integris Health patients, and that the reason for demanding payment from patients is that Integris Health has refused to pay to have the information deleted. The patients have been provided with a Tor link to make payment and the threat actor is charging individuals $3 to view their stolen data or $50 to have the data deleted. According to Bleeping Computer, the Tor extortion site lists 4,674,000 records, although it is unclear if all of those records are unique. Integris Health has yet to confirm how many individuals have been affected.

There have been several recent cyberattacks where individual patients have been contacted directly by the threat actors behind the attack after the breached organization refused to pay a ransom demand. Earlier this year, patients of a plastic surgery clinic were contacted directly and were told that sensitive photographs and other information had been put in the public domain and payment was required to have the information taken down. Recently, the Hunters International threat group contacted patients of the Fred Hutchinson Cancer Center when the ransom was not paid and told the patients they had to pay $50 to have their information deleted, otherwise it would be sold. The data was stolen in a cyberattack over the Thanksgiving Day weekend.

While paying the $50 may result in the stolen data being deleted, there is no guarantee. Individuals who pay up could be subjected to further extortion attempts, and/or their sensitive data may still be sold.  “We encourage anyone receiving such communications to NOT respond or contact the sender, or follow any of the instructions, including accessing any links,” said Integris Health in its website notification.

The post $30 Million Settlement Agreed to Resolve Integris Health Class Action Data Breach Lawsuit appeared first on The HIPAA Journal.

Another Corewell Health Business Associate Suffers Million-Record Data Breach

Posted by Steve Alder

The Michigan Attorney General’s Office announced on Tuesday that the protected health information of more than one million Corewell Health patients had been compromised in a cyberattack on one of Corewell Health’s vendors. HealthEC provides Corewell Health with a population health management platform that is used to identify high-risk patients in southeastern Michigan to close gaps in care and identify barriers to optimal care.

HealthEC explained in its breach notification letters that suspicious activity was identified within its network and the forensic investigation determined that an unknown, unauthorized actor had access to some internal systems between July 14, 2023, and July 23, 2023. During that time, files containing protected health information were removed from its systems. HealthEC conducted a review of all files on the compromised part of the network and notified its affected clients on October 26, 2023. HealthEC then worked with those clients to issue notifications. According to the notification sent to the Maine Attorney General, HealthEC started mailing notification letters to 112,005 individuals on December 22, 2023. Some of HealthEC’s covered entity clients have opted to send notification letters themselves.

According to HealthEC, the following types of information were compromised: names, addresses, dates of birth, Social Security numbers, medical record numbers, diagnoses and diagnosis codes, mental/physical condition, prescription information, providers’ names, beneficiary numbers, subscriber numbers, Medicaid/Medicare identification numbers, patient account numbers, patient identification numbers, and treatment cost information. HealthEC has offered complimentary credit monitoring and identity theft protection services to the affected individuals for 12 months.

Data breaches at business associates of HIPAA-covered entities often affect many of their clients. Another HealthEC client known to have been affected is Beaumont ACO in Michigan. It is possible that individuals may receive two notification letters related to this incident if they have previously received services from Corewell Health and Beaumont ACO.

This is the second major data breach to affect Corewell Health patients this year. In November, Welltok Inc., which provides patient communication services, started notifying around one million Corewell Health patients that some of their protected health information had been stolen when a zero-day vulnerability was exploited in Progress Software’s MOVEit Transfer file transfer solution. The two incidents are unrelated and were conducted by separate threat actors. Corewell Health patients had their names, dates of birth, email addresses, phone numbers, diagnoses, health insurance information, and Social Security numbers stolen by the Clop hacking group. The same breach also affected Priority Health, which is Corewell Health’s insurance plan.

“Health information is some of the most personal information we have,” said Michigan Attorney General Dana Nessel. “Michigan residents have been subjected to a surge of healthcare-related data breaches and deserve robust protection. It is critical that the Michigan legislature join the many other states that require companies who experience a data breach to immediately inform the Department of Attorney General.”

The post Another Corewell Health Business Associate Suffers Million-Record Data Breach appeared first on HIPAA Journal.