reported that “State regulators have fined a large New York academic medical center $300,000 to settle privacy violations related to the organization’s prior use of tracking tools in its websites and patient portal. Regulators said the hospital had violated HIPAA rules in sharing patient information with third parties for marketing purposes.”  The January 2, 2024 article entitled ” State AG Hits Hospital With $300K Fine for Web Tracker Use” ( included these comments from my good friend Rachel Rose ( about New York-Presbyterian Hospital and other states actions:

Given the increased focus on cybersecurity, including the New York State Department of Financial Services’ amendments to Part 500 of its cybersecurity regulations and its recent enforcement action against a radiology group for failing to implement adequate technical safeguards to protect the privacy of patient information, it is not surprising,…

It is very likely that we could see enforcement actions for two reasons: the national focus on third parties, and state breach notification law requirements to state agencies, oftentimes the statute requires reporting to the state attorney general’s office.

The article included these comments about New York-Presbyterian Hospital (NYP):

NYP, which operates 10 hospitals across the New York City area, handles more than 2 million patient visits annually. The group’s website allows individuals to schedule appointments, search for doctors and healthcare services, and research information relating to symptoms and conditions.

The New York state attorney general’s office said its investigation had determined that NYP did not have appropriate internal policies or procedures for vetting third-party tracking tools, did not have business associate agreements with the technology providers, and did not review or vet third-party tracking tools for violations of policy or law prior to their deployment.

NYP in June 2016 began using tracking pixels and tags from tech vendors including Meta/Facebook, Google, TikTok, iHeartMedia and Twitter in its websites and patient portals. The tracking tools sent the third-party companies a variety of information about NYP’s website visitors, including, in some cases, details about the user’s health and medical conditions, the state regulator said.

Patients expect privacy, so this is disturbing to say the least!

First published at