NewYork-Presbyterian Hospital (“NYP”) strives to provide exceptional, personalized care that always puts our patients first. We value our patients and community members and understand that maintaining your privacy is of the utmost importance.
Recently, NYP became aware of an issue relating to its use of tracking and analytics tools on our public-facing, www.nyp.org website that may have resulted in the sharing of certain patients’ information with the developers of these tools. NYP began using these tools from third-party service providers on www.nyp.org to understand how visitors interacted with the website. These tools allowed NYP to review website activity to streamline external communications, monitor community engagement and make it easier for patients to connect with care that they need.
NYP disabled the trackers and worked with a forensic firm to conduct a full analysis of the information that these tools had collected and shared.
In January of 2023, NYP learned that certain information of patients requesting appointments or second opinions, or initiating a virtual urgent care visit on www.nyp.org may have been accessed by NYP’s third-party technology service providers. We then reviewed that matter further and determined that the tracking and analytics tools accessed IP addresses and the URL/website addresses of the pages visited, which may have included the provider name and specialty listed on NYP.org. In addition, certain tools were also able to access first name, last name, email address, mailing address, and/or gender if that information was entered on particular pages of the website.
Approximately 54,396 patients were affected.
NYP has not found any evidence that the trackers and analytics tools captured financial information, passwords, payment information, social security numbers or sensitive health information. The trackers and analytics tools also did not collect any protected health information from patient medical records within the NYP Connect patient portal or mobile application.
NYP is committed to protecting the privacy and security of its patients’ health information and has taken steps to prevent a similar incident from happening in the future. After disabling the tracking and analytics tools from our website, NYP reevaluated and changed our data collection practices and developed a protocol for monitoring website engagement.
As required by law, NYP reported this incident to the Department of Health and Human Services, Office for Civil Rights and to the Office of the Attorney General in New York State.
NYP has established a call center with personnel available to answer questions from those who have been impacted. Concerned patients can reach the center toll free Monday through Friday, from 8:00a.m. to 8:00p.m. Eastern Standard Time, at 1-888-308-4435.
Frequently Asked Questions
NYP has been using certain analytics tools from third-party service providers on our public-facing website, NYP.org. We used these analytics tools to assist us in understanding how our community interacts with NYP.org. Some of these analytics tools may have captured and shared certain users’ information when visitors to our website requested an appointment or second opinion, or started a virtual urgent care visit online with one of our service providers.
What Information Was Collected and Shared?
The analytics tools on NYP.org accessed IP addresses and the URL/website addresses of the pages visited, which may have included the provider’s name and/or specialty, when a visitor requested an appointment or second opinion, or initiated a virtual urgent care visit. In addition, certain tools also were able to access first name, last name, email address, mailing address, and/or gender, if the information was entered on certain pages of the website. However, we have not identified any individual visitor for whom first name, last name, email address, mailing address, and/or gender was accessed when they requested an appointment, requested a second opinion, or started a virtual urgent care visit.
Was My Sensitive Health Information Shared?
No. The analytics tools did not collect or transmit sensitive health information such as your medical condition, test results or treatment information. The analytics tools also did not collect any protected health information from medical records within the NYP Connect patient portal or mobile application. The analytics tools accessed certain limited data, including the visitors IP address and the URL/website addresses of the pages visited, which may have included the provider’s name and/or specialty, when a visitor requested an appointment or second opinion, or initiated a virtual urgent care visit.
Was My Sensitive Financial Information Shared?
No. The analytics tools did not collect social security numbers, financial account numbers, insurance information, credit/debit card information, passwords, or billing information.
Why Was NYP Using Analytics Tools on NYP.org?
NYP used analytics tools to better understand community interaction with our website, to improve users’ experience with the website and help us communicate better with the community about our treatment teams, new developments in medicine, and interesting activities in the community.
When Did NYP Learn About This Issue?
NYP learned of general concerns regarding the use of analytics tools on healthcare provider websites across the country in June 2022. After reviewing those concerns, NYP promptly took steps to disable the analytics tools that raised concern from our website and began a review of our data collection practices, including the types of data that were accessed from NYP.org.
In connection with its review, NYP learned in January that some of the analytics tools on NYP.org may have shared certain types of identifiable information with our service providers.
What Has NYP Done In Response
When NYP learned of general concerns regarding the use of certain analytics tools on healthcare provider websites, we disabled these tools. We then worked with a forensic firm to identify and evaluate the types of data that may have been accessed and whether the data was shared with anyone outside of the hospital. Once we determined that certain website user information may have been shared with our service providers, NYP took steps to report the matter to federal and state regulators and to notify individuals who had scheduled appointments on NYP.org while the analytics tools were being used.
Does NYP Have A List Of The Names Of People Impacted?
NYP has not identified any individual whose first name, last name, email address or mailing address was accessed. Nonetheless, because the tracking tools accessed IP address when visitors requested an appointment or a second opinion, or started a virtual urgent care visit on NYP.org, and certain tracking tools were configured in a way that first name, last name, email address, mailing address, and/or gender may have been accessed by NYP’s service providers, we are notifying people who used NYP.org to request an appointment or second opinion, or to start a virtual visit.
How Do I Know If I’ve Been Impacted?
NYP is sending notices to all individuals whose information may have been accessed when booking or requesting an appointment or second opinion, or starting a virtual urgent care visit on NYP.org. If you do not receive a notice, that means we do not have reason to believe that your personal health information was collected and accessed by the relevant third parties.
What Are The Timeframes When The Information May Have Been Collected?
If you requested a second opinion between June 2016 and mid-June 2022, initiated a virtual visit between 2017 and mid-June 2022, or requested an appointment between December of 2018 and mid-June 2022, you may be impacted.
I Did Not Get A Notice. What Does That Mean?
It could mean that NYP did not conclude that your personal health information was collected or shared with the relevant third parties. It could also mean that you have not yet received your notice.
NYP has established a call center for community members to call at 1-888-308-4435, Monday through Friday from 8am to 8pm Eastern Time. Operators will be standing by to answer your questions and address your concerns.
I’ve Never Gone To NewYork-Presbyterian Hospital. Why Did I Receive A Notice?
NYP is an academic medical center, with a number of doctors on staff who see patients for illnesses, injuries or conditions that do not require hospitalization.
You may have scheduled an appointment with a doctor on NYP’s medical staff for an appointment in their office. You do not have to have been treated at or admitted to the hospital to get the notice, you simply had to have requested or booked an appointment, requested a second opinion, or clicked a button to start a virtual urgent care visit on NYP.org.
I Want To Make An Appointment on NYP.org. Can I Do So Without My Information Being Disclosed To NYP’s Service Providers?
Yes, NYP has removed the analytics tools that may have been accessing certain information. NYP.org still utilizes some analytics tools, but these tools are necessary for NYP to operate our website, and any user information is shared with protections in place so that personal information will not be disclosed to our service providers unless they have agreed to maintain the information in confidence. As a general matter, you can also limit the use of analytics tools by blocking or deleting cookies in your web browser, opting out of information sharing, or using browsers that protect your privacy while visiting websites, such as virtual private networks, otherwise known as “VPNs.”
How Can I Learn More About What Happened?
NYP has established a hotline for community members to call at 1-888-308-443, Monday through Friday from 8am to 8pm Eastern Time. Operators will be standing by to answer your questions and address your concerns.
Can I Still Call The Hotline If I Didn’t Receive A Notice?
Yes, operators will answer your questions even if you have not received a notice that you have been impacted by this matter.
Is NYP Offering Credit Monitoring?
At this time, NYP is not offering credit monitoring because we do not have any indication that the analytics tools on NYP.org accessed your financial information
Do I Need To Change My Password on the NYP Connect Patient Portal?
NYP does not have any indication that your password information was collected and shared by the analytics tools . Patients are encouraged to change their passwords periodically to protect against unwanted access from cyber hackers and other third-parties, but we do not have any indication that any community member’s log in credentials have been compromised as a result of this incident.
Is There Anything Else I Can Do?
As a general matter, you can also limit the use of analytics tools by blocking or deleting cookies, opting out of information sharing or using browsers that protect your privacy while visiting websites, such as virtual private networks, otherwise known as “VPNs.”
It is also always a good idea to remain vigilant to threats of identity theft and fraud. You can do so by reviewing your financial statements, requesting a credit report and checking your credit card bills for unusual charges. If you suspect that you may have been the victim of identity theft or fraud, you should contact the authorities and notify the company that maintains the account on your behalf.