Website Tracking Technology Breach Affects 54,000 New York Presbyterian Hospital Patients
New York Presbyterian Hospital has reported a 54K-record data breach due to website tracking tools, ransomware attacks have been reported by Atlantic Dialysis Management Services and American Pain & Wellness, and there has been an impermissible disclosure of PHI by a former New Medical Health Care employee.
New York Presbyterian Hospital – Website Analytics and Tracking Tools
New York Presbyterian Hospital (NYP) has confirmed that tracking and analytics tools have been used on its website, nyp.org, which may have resulted in patient information being impermissibly disclosed to third-party service providers that developed the tools.
According to a website notification, these tools were used to gain a better understanding of how visitors interacted with the website and allowed NYP to streamline external communications, monitor community engagement, and make it easier for patients to connect with the care they need. After discovering the potential for impermissible disclosures, the tools were disabled and a third-party forensic firm was engaged to assist with the investigation and determine which individuals had been affected and the extent of any privacy violations.
In January 2023, NYP determined that the types of information disclosed via the tools included names, email addresses, mailing addresses, and/or gender and that 54,396 individuals had been affected. Those individuals had requested appointments, second opinions, or initiated a virtual urgent care visit via the website. No evidence of misuse of the disclosed information has been detected. NYP has reevaluated its data collection practices and has implemented a protocol for monitoring website engagement.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
Atlantic Dialysis Management Services – Ransomware Attack
Atlantic Dialysis Management Services in New York has recently reported a cyberattack to the HHS’ Office for Civil Rights that was discovered on June 9, 2022. When suspicious activity was detected within its network, steps were immediately taken to prevent further unauthorized access, and a third-party computer forensics firm was engaged to investigate the incident. The investigation revealed files containing patient data may have been accessed or obtained, and those files included patient names, addresses, social security numbers, dates of birth, medical diagnosis and treatment information, health insurance information, and prescription information.
Atlantic Dialysis Management Services did not state the nature of the attack in its breach notification nor did it confirm that patient data had been stolen; however, this was a ransomware attack by the Snatch team, which subsequently published the stolen data on its data leak site. According to the HIPAA business associate, no evidence of misuse of patient data was identified.
Additional security measures have now been implemented to improve data security and the incident has been reported to the HHS’ Office for Civil Rights. The breach is listed as 14 separate breach notices, affecting 19,972 patients in total, suggesting one breach notice has been posted for each affected client. Some clients may instead choose to report the data breach so that may not be the final total.
American Pain and Wellness – Ransomware Attack
American Pain and Wellness in Texas has recently reported a ransomware attack to the Maine Attorney General that has affected a total of 7,457 individuals. A security breach was detected on or around November 27, 2022, with the review confirming that ransomware had been used to encrypt files and backups. The investigation determined that files may have been accessed or acquired during the time that its systems were compromised, between November 10, 2022, and November 27, 2022.
The review of the affected files was completed on or around January 24, 2023, and confirmed that names and Social Security numbers may have been compromised. Additional data security safeguards have now been implemented, further training has been provided to employees, and affected individuals have been notified.
New Medical Health Care & Restoration Health – Impermissible Disclosure of Patient Data
New Medical Health Care & Restoration Health (NMHCRH) in Wichita, KS, has recently notified 1,557 patients about an impermissible disclosure of some of their data by an employee. In October 2022, an employee provided a patient list to an individual who was not authorized to receive the information.
The individual who received the list is believed to be helping a former NMHCRH physician who has set up a new practice. The list contained names, phone numbers, addresses, email addresses, birth dates, other demographic information, and potentially also the name/address of the patient’s employer, emergency contact information, guarantor name and address, preferred pharmacy, and insurance information. All patients on the list were previously seen by the physician who set up a new practice.
None of the individuals concerned are working at NMHCRH. The employee who provided the list had already left employment by the time the HIPAA violation was discovered. NMHCRH is working with all three individuals to obtain assurances that the patients concerned will not be contacted and that the information will not be further disclosed. Further training has been provided to the workforce on the importance of patient privacy and HIPAA requirements.
