Contents
- Purpose
- Methodology
- Governance & Sensitive Documents
- Personnel & PII Exposure
- Financial Documents
- HIPAA & Regulatory Enforcement
- Wayback Machine Archive
- Certificate Transparency
- Infrastructure & Technical Surface
- Funding & Contract Records
- Legal & Regulatory Records
- Disaster & Environmental
- Media & Public Narrative
- Risk Summary
- Recommendations
- What This Means
Purpose
This audit maps the publicly indexed digital footprint of NewYork-Presbyterian Hospital across federal agency databases (CMS, HHS, OIG, EPA), state regulatory systems (NY DOH, NY AG), certificate transparency logs, the Wayback Machine, court records, and the entity's own web properties.
What can anyone with a search engine learn about your organization in 30 minutes?
For a major academic medical center, the digital footprint extends far beyond the institutional website. Federal regulators, state agencies, bond markets, nonprofit tax databases, certificate transparency infrastructure, and third-party data aggregators each contribute to a composite picture that any researcher, competitor, litigant, or threat actor can assemble from public sources alone.
Methodology
The following public data sources were queried:
- Google advanced search — filetype, site, intitle, and inurl operators targeting federal/state agency domains, the entity's own domain, and third-party platforms
- Wayback Machine CDX API — historical web archive of nyp.org (pages, PDFs, infrastructure patterns)
- Certificate Transparency logs — crt.sh and CertSpotter for SSL/TLS certificate SANs
- DNS interrogation — A, MX, NS, TXT, and CNAME records for nyp.org
- USASpending, HHS TAGGS, NIH RePORTER — federal funding and contract records
- IRS 990 data — via ProPublica Nonprofit Explorer
- Court records — Justia, CourtListener, DOJ press releases, OIG enforcement database
- FEMA, EPA, USGS — disaster declarations and environmental records
- News sources — Crain's New York, Becker's, Healthcare Dive, and wire services
No unauthorized access was performed or attempted. All findings come from publicly indexed sources.
Governance & Sensitive Documents
Queries used:
"NewYork-Presbyterian" filetype:pdf "confidential" OR "internal" OR "not for distribution"
"NewYork-Presbyterian" filetype:pdf "agreement" OR "contract" OR "memorandum" OR "MOU"
"NewYork-Presbyterian" filetype:pdf "proprietary" OR "draft" OR "privileged"| # | Document | Hosted On | Risk | Notes |
|---|---|---|---|---|
| 1 | Confidentiality, Privacy and Information Security Agreement | nyp.vsyslive.com | Medium | Employee confidentiality agreement on third-party vendor platform (VSys Live). |
| 2 | GME Recruitment Packet (SAMPLE) | psychiatry.weill.cornell.edu | Low | Graduate medical education document referencing confidential access policies. |
| 3 | Medical Staff Bylaws | medicine.weill.cornell.edu | Low | Full bylaws including credentialing processes and committee structures. |
| 4 | Code of Conduct (June 2024) | nyp.org | Low | Intentionally public governance document. |
| 5 | NYP Hospital Refinancing SEQR Determination | dasny.org | Low | State environmental review for $400M bond refinancing. |
Assessment: LOW
Summary: Most documents are intentionally public governance materials or regulatory filings. The confidentiality agreement on vsyslive.com reveals categories of information NYP considers proprietary, but no leaked contracts, MOUs, or privileged materials were found.
Personnel & PII Exposure
Queries used:
"NewYork-Presbyterian" filetype:csv OR filetype:xlsx "employee" OR "directory" OR "roster" OR "staff"
"NewYork-Presbyterian" filetype:pdf "staff list" OR "phone directory" OR "org chart"| # | Document | Hosted On | Risk | Notes |
|---|---|---|---|---|
| 1 | NYC Call Center MASTER Contact LIST | nysna.org | Medium-High | Staff names, emails, and phone numbers across multiple NYP facilities. Hosted on union website. |
| 2 | PPS Workforce Lead Contact List | health.ny.gov | Medium | State-hosted document with NYP staff names, titles, phone numbers, and emails. |
| 3 | LMH Physician Directory | nyp.org | Low | Intentionally public physician directory. |
| 4 | NYP Employee Directory (ZoomInfo) | zoominfo.com | Medium | Third-party data aggregator with scraped employee directory. |
| 5 | NYP Staff Directory (LeadIQ) | leadiq.com | Medium | Sales intelligence platform aggregating NYP employee contacts. |
| 6 | NYP Staff Directory (ContactOut) | contactout.com | Medium | Another third-party platform reselling NYP employee information. |
Assessment: MEDIUM-HIGH
Summary: The NYSNA "MASTER Contact LIST" aggregates staff names, direct phone numbers, and email addresses across multiple NYP facilities on a domain NYP does not control. Multiple data aggregators (ZoomInfo, LeadIQ, ContactOut) are actively scraping and reselling NYP employee information.
Financial Documents
Queries used:
"NewYork-Presbyterian" filetype:pdf "budget" OR "revenue" OR "salary" OR "compensation"
"NewYork-Presbyterian" filetype:pdf "audit" OR "financial statement" OR "990" OR "annual report"| # | Document | Hosted On | Risk | Notes |
|---|---|---|---|---|
| 1 | 2024-2025 GME Salary & Benefits Summary | surgery.weill.cornell.edu | Low | Detailed salary schedules for all PGY levels. Intentionally shared. |
| 2 | PPS Finance Committee Guidelines | nyp.org | Medium | Names VP of Revenue Cycle, details budget/funds flow processes. |
| 3 | Consolidated Financial Statements (EMMA/MSRB) | emma.msrb.org | Low | Bond disclosure financials. Regulatory requirement. |
| 4 | Revenue Bonds Series 2023A (DASNY) | dasny.org | Low | Bond offering with Moody's Aa2 rating. Public record. |
Assessment: LOW
Summary: Financial exposure is extensive in volume but low in risk. Nearly all documents are intentionally published or regulatory obligations.
HIPAA & Regulatory Enforcement
Queries used:
"NewYork-Presbyterian" HIPAA violation OR breach OR penalty
"NewYork-Presbyterian" site:hhs.gov
"NewYork-Presbyterian" "consent decree" OR "settlement" OR "enforcement"| # | Record | Source | Amount | Notes |
|---|---|---|---|---|
| 1 | HHS OCR — ePHI Data Breach Settlement | hhs.gov | $4.8M (combined) | 2014. ~6,800 patient records exposed on search engines. NYP paid $3.3M. Largest HIPAA settlement at the time. |
| 2 | HHS OCR — Unauthorized Patient Filming | hhs.gov | $2.2M | 2016. ABC News "NY Med" crew filmed dying patient without consent. 2-year corrective action monitoring. |
| 3 | NY AG — Pixel Tracking Settlement | ag.ny.gov | $300K | 2023. Tracking pixels from Meta, Google, TikTok transmitted PHI of 54,396 individuals (2016-2022). |
Assessment: HIGH
Summary: Three separate federal/state HIPAA enforcement actions spanning a decade, totaling approximately $7.3M in fines. The full resolution agreements and corrective action plans are publicly available on hhs.gov.
Wayback Machine Archive
Domains queried: nyp.org, www.nyp.org, healthmatters.nyp.org, cadc.nyp.org
| Metric | Value |
|---|---|
| Total unique pages archived | ~150,000+ |
| Total unique PDFs archived | 312 |
| Earliest snapshot | 1999-01-17 |
| Most recent snapshot | 2026-02-27 |
| Hosting platform detected | Oracle WebCenter Sites (FatWire CMS) |
Notable Archived Documents
| # | Document | Type | Notes |
|---|---|---|---|
| 1 | HIPAA Stroke Registry Forms | Clinical/compliance document | |
| 2 | Privacy and Confidentiality Policy P205 | Full internal privacy policy | |
| 3 | Photographing/Recording Policy C137 | Internal policy on recording patients and staff | |
| 4 | SelectHealth Provider Manual (2006) | Insurance operations document | |
| 5 | Incident and Reporting Policy | ACN health home incident reporting procedures | |
| 6 | Employee Portal (archived) | HTML | Benefits, pension statements, FICA refunds page |
| 7 | Vendor Policy Series | Multiple numbered policies (C140, D160, I210, etc.) |
Assessment: MEDIUM-HIGH
Summary: NYP has a massive 27-year Wayback Machine footprint with 150,000+ archived pages. The archive contains internal policy documents with numbered codes, provider manuals, clinical operations documents, and an archived employee portal.
Certificate Transparency
Domain analyzed: nyp.org
| Property | Value |
|---|---|
| Total certificates found | ~130 |
| Certificate issuer(s) | DigiCert (enterprise), Google Trust Services (public www via Cloudflare) |
| Wildcard certs? | No — every subdomain gets an explicit named certificate |
| Renewal pattern | Annual (DigiCert), 90-day automated (Cloudflare for www) |
Subdomains Discovered (115+ unique, selected highlights)
| Category | Count | Examples |
|---|---|---|
| Public-Facing | 11 | www, doctors, news, careers, mobile, healthmatters |
| Patient Portals | 3 | myhealth, nypcares, webportal |
| Campus Profiles | 12 | profiles, allenprofiles, cadcprofiles, cancerprofiles, neuroprofiles |
| Regional Directories | 9 | brooklyndoctors, hudsonvalleydoctors, queensdoctors, medgroup* variants |
| Intranet Systems | 5 | infonet, infonetmobile, infonethudson, infonetqueens, exfonet |
| Executive/Internal | 4 | execportal, finance, dashboard, protocols |
| Medical Credentialing | 6 | mdstaffcolumbia, mdstaffcornell, mdstaffmsow, mdstaffnypmg |
| Research | 5 | redcap, redcaptest, cerebro, cerebrotest, rogosinredcap |
| Security/Identity | 8 | infosecure, api.infosec, sslvpn, oneid-test, imprivatatest |
| VPN/Remote Access | 9 | sslvpn, pra, pra2, pragateway, praweb, pratest |
| Contact Center | 5 | cceadmin, ccefinesse, ccemaintapp, ccereports |
| DevOps | 6 | sonarqube, buildnyp.sdo, daggerboard, pitechpoc, hera.uat.sdo |
| Alternate Domains | 15+ | nyhq.org, innovatenyp.org, epictogetherny.org, nypchildrens.net |
Assessment: MEDIUM
Summary: NYP's certificate strategy is enterprise-grade (DigiCert, no wildcards, proper rotation). However, CT logs expose the full breadth of internal infrastructure — intranet portals, research databases, security tools, VPN endpoints, and dev/test environments.
Infrastructure & Technical Surface
Domain analyzed: nyp.org
| Record | Value | Significance |
|---|---|---|
| A | 143.104.236.115, 156.111.236.115 | Self-hosted: NYP own /16 IP block + Columbia University network |
| MX | mxa-00227301.gslb.pphosted.com | Proofpoint enterprise email security gateway |
| NS | ns1.nyp.org, ns2.nyp.org + cornell.edu secondaries | Self-hosted DNS with Weill Cornell backup |
| TXT | SPF, MS (x3), Google (x3), Atlassian, DocuSign (x2), VMware, Duo, OneTrust (x2), Zoom, Cisco, HPE | 16+ SaaS vendor domain verifications |
| Property | Value |
|---|---|
| Hosting platform | Self-hosted (ARIN-registered /16 block) + Acquia/Drupal for public site |
| Domain type | .org |
| Email provider | Proofpoint gateway → Microsoft 365 backend |
| CDN/Proxy | Cloudflare (www only); F5 BIG-IP (bare domain) |
| Subdomains discovered | 2,166+ |
| Security headers | Full suite (HSTS, X-Frame-Options, CSP, X-Content-Type-Options) |
| EHR Platform | Epic |
Technology Stack Revealed via DNS/CT Logs
| Vendor | Category |
|---|---|
| Epic | Electronic Health Records |
| Palo Alto Panorama | Network Security |
| Cisco Expressway/CCE | Unified Communications & Contact Center |
| Aruba ClearPass | Network Access Control |
| Imprivata | Identity & Access Management |
| Proofpoint | Email Security |
| SonarQube | Code Quality |
| Daggerboard | SBOM/Vulnerability Tracking |
| REDCap | Research Data Capture |
| Everbridge | Emergency Mass Notification |
| Vocera | Clinical Voice Communication |
| ADP | Payroll/HR |
| Salesforce Marketing Cloud | Email Marketing |
Assessment: HIGH
Summary: NYP operates one of the most extensive institutional web infrastructures observed — 2,166+ unique subdomains, its own ARIN-registered /16 IP block, and deep network integration with Columbia and Cornell. The scale, including 374 dev/test subdomains visible in CT logs, provides a detailed reconnaissance map of the technology stack.
Funding & Contract Records
Key Financial Profile (IRS 990 / ProPublica)
| Field | Value |
|---|---|
| Legal Name | The New York and Presbyterian Hospital |
| EIN | 13-3957095 |
| Total Revenue (2024) | $10.7B |
| Total Expenses (2024) | $10.1B |
| Total Assets | $21.9B |
| Employees | 36,103 |
| CEO Compensation (Corwin, 2024) | $26.3M |
Federal Funding Records
| # | Record | Amount | Agency | Notes |
|---|---|---|---|---|
| 1 | HRSA Ryan White HIV/AIDS | $2.7M | HRSA | Coordinated services grant |
| 2 | SAMHSA Mental Health | $1.2M | SAMHSA | Substance abuse/mental health |
| 3 | FEMA COVID-19 Reimbursement | $60M | FEMA | H1 2025 pandemic response costs |
| 4 | Youth Opportunity Hub (CJII) | $10.3M | Manhattan DA | 4-year grant for Washington Heights |
| 5 | HRSA 340B Drug Pricing | Program benefit | HRSA | 340B ID: 25027; discounted drug purchasing |
Subsidiary Entities (13+ identified)
| # | Entity | EIN | Relationship |
|---|---|---|---|
| 1 | The New York and Presbyterian Hospital | 13-3957095 | Core operating entity |
| 2 | NY Presbyterian Hospitals Healthcare System Inc | 13-3792361 | Parent/system entity |
| 3 | New York Presbyterian Fund Inc | 13-3160356 | Foundation ($138.5M annual grants, $3.7B assets) |
| 4 | New York Presbyterian Foundation Inc | 13-4153668 | Foundation entity |
| 5 | NewYork Presbyterian Queens | 11-1839362 | Subsidiary hospital |
| 6 | New York Presbyterian Brooklyn Methodist | 11-1631796 | Subsidiary hospital |
Assessment: MEDIUM-HIGH
Summary: NYP's financial profile is fully reconstructable from public sources: $10.7B revenue, $21.9B assets, and a 13+ entity corporate structure each filing separate IRS 990s.
Legal & Regulatory Records
| # | Case/Matter | Type | Amount/Status | Notes |
|---|---|---|---|---|
| 1 | DOJ v. NYP — Antitrust | Federal Civil | Active (March 2026) | Sherman Act Section 1: "all-or-nothing" insurer contracts |
| 2 | Hadden Sexual Abuse Settlement | State Mass Tort | $750M (May 2025) | Combined total exceeds $1B. Institutional knowledge since 1995. |
| 3 | Brooklyn Methodist — Healthcare Fraud | Federal (FCA) | $17.3M | Unlawful kickbacks at chemotherapy infusion center |
| 4 | Hudson Valley — Kickback Settlement | Federal (AKS) | $6.8M | Kickbacks to oncology practice for referrals (2011-2019) |
| 5 | Queens — Healthcare Fraud | Federal (FCA) | $2.5M | Medically unnecessary services billed to federal programs |
| 6 | Improper Billing Settlement | Federal (FCA) | $800K | Radiology practices improperly billed Medicare/Medicaid/TRICARE |
| 7 | Nurse Staffing Violations | Labor Arbitration | ~$675K + 141 vacation days | 614 safe-staffing violations (Jan 2023-May 2024). NYP appealing. |
| 8 | Meta Pixel Tracking Class Action | Federal Class Action | Pending | Patient data shared via tracking pixels from Meta, Google, TikTok |
Assessment: MEDIUM-HIGH
Summary: Enforcement actions span antitrust, anti-kickback, false claims, HIPAA privacy, and labor law. The breadth across multiple subsidiaries and time periods elevates this beyond routine litigation. The active DOJ antitrust suit is the most significant current matter.
Disaster & Environmental
| # | Declaration | Date | Notes |
|---|---|---|---|
| 1 | FEMA-4085-DR (Hurricane Sandy) | 2012-10-30 | NYP maintained operations; received transfer patients from evacuated hospitals |
| 2 | FEMA-4480-DR (COVID-19) | 2020-03-20 | Among hardest-hit systems during initial NYC surge |
| 3 | FEMA-4615-DR (Hurricane Ida remnants) | 2021-09-05 | Record rainfall/flooding near NYP/Columbia campus |
| 4 | FEMA-1391-DR (September 11) | 2001-09-11 | Primary receiving hospital for 9/11 casualties |
Assessment: LOW
Summary: NYP operates in a high-disaster-frequency jurisdiction. However, its institutional record demonstrates strong emergency resilience — maintaining operations during Sandy when peers evacuated, and serving as a frontline COVID-19 system.
Media & Public Narrative
| # | Story | Date | Publication | Key Points |
|---|---|---|---|---|
| 1 | DOJ Antitrust Lawsuit | 2026-03 | DOJ | "All-or-nothing" insurer contracts |
| 2 | 40K City Workers May Lose Coverage | 2026-04 | THE CITY | NYP-EmblemHealth rate dispute; NYP charges 77% more |
| 3 | UHC Drops NYP from Medicare Advantage | 2025 | CBS NY | Jan 2026 effective; access disruption for seniors |
| 4 | Hadden $750M Settlement | 2025-05 | Columbia Spectator | Total payouts exceed $1B |
| 5 | 2% Workforce Layoffs (~1,000) | 2025-05 | Healthcare Dive | 4 days after Hadden settlement |
| 6 | U.S. News #5 Nationally, #1 in NY | 2025 | U.S. News | 22nd consecutive year on Honor Roll |
| 7 | $1.2B Cancer Center ("The Beacon") | 2025 | Crain's | 16-story facility, completion 2028 |
Leadership (as of April 2026)
| Name | Role |
|---|---|
| Dr. Brian G. Donley | President & CEO (since Jan 22, 2026) |
| Dr. Deepa Kumaraiah | EVP & COO (since Jan 22, 2026) |
| Michael P. Breslin | Group SVP, CFO & Treasurer |
| Mary Beth Claus | Group SVP, Chief Legal Officer |
| Adebayo O. Ogunlesi | Board Co-Chair (also Chairman, Global Infrastructure Partners) |
| Jerry Speyer | Board Co-Chair (also Chairman, Tishman Speyer) |
Assessment: MEDIUM-HIGH
Summary: NYP is undergoing a CEO transition while facing the most adversarial regulatory environment in its history. The DOJ antitrust suit, insurer disputes, and $1B+ settlements dominate the narrative, even as the institution maintains #5 national ranking and executes $1.2B+ in capital expansion.
Risk Summary
| Category | Assessment |
|---|---|
| Governance & Sensitive Documents | LOW |
| Personnel & PII Exposure | MEDIUM-HIGH |
| Financial Documents | LOW |
| HIPAA & Regulatory Enforcement | HIGH |
| Wayback Machine Archive | MEDIUM-HIGH |
| Certificate Transparency | MEDIUM |
| Infrastructure & Technical Surface | HIGH |
| Funding & Contract Records | MEDIUM-HIGH |
| Legal & Regulatory Records | MEDIUM-HIGH |
| Disaster & Environmental | LOW |
| Media & Public Narrative | MEDIUM-HIGH |
NewYork-Presbyterian Hospital has one of the largest digital footprints of any healthcare institution in the United States, commensurate with its $10.7B annual revenue and 36,000+ employees. The footprint extends across 2,166+ subdomains, 150,000+ archived web pages, 13+ subsidiary entities each with separate federal filings, a decade of HIPAA enforcement history, and active DOJ antitrust litigation.
Recommendations
Immediate Actions
1. Address the NYSNA staff contact list. Request removal of the "MASTER Contact LIST" from nysna.org or work with the union to redact direct contact information. This document aggregates staff names, phones, and emails across multiple facilities on a domain NYP does not control.
2. De-index authentication endpoints. Seven or more login pages (iNYP intranet, MobileIron MDM, InfoSec API, PingFederate SSO) are indexed by search engines. Implement robots.txt disallow rules and X-Robots-Tag: noindex headers for all authentication-only subdomains.
3. Audit certificate transparency exposure. The 374 dev/test subdomains visible in CT logs reveal internal naming conventions and development infrastructure. Consider using private CAs for internal-only systems that do not require public trust.
4. Monitor third-party data aggregators. ZoomInfo, LeadIQ, and ContactOut are actively scraping and reselling NYP employee information. Evaluate contractual and legal options for data removal.
Ongoing Monitoring
1. Wayback Machine monitoring. With 150,000+ archived pages, removed content remains perpetually accessible. Implement periodic audits of what the archive reveals about internal policies and infrastructure.
2. Federal enforcement tracking. Given enforcement actions across antitrust, anti-kickback, false claims, and HIPAA domains, implement systematic monitoring of DOJ, OIG, OCR, and NY AG announcements.
3. CT log monitoring. Subscribe to certificate transparency log notifications for nyp.org to detect unauthorized certificate issuance or unexpected subdomain creation.
Strategic Considerations
1. The infrastructure footprint is a map. The combination of 2,166+ subdomains, DNS TXT records revealing 16+ SaaS vendors, and CT logs exposing specific products means a threat actor can construct a detailed technology inventory without touching the network.
2. Subsidiary fragmentation creates audit complexity. With 13+ entities each maintaining separate federal filings, IRS 990s, and state registrations, the total compliance surface is significantly larger than what any single-entity search reveals.
3. The public narrative is bifurcated. NYP simultaneously holds elite clinical rankings while facing unprecedented legal and pricing scrutiny. Any engagement should account for both the institutional prestige and the regulatory headwinds.
What This Means
Competitive intelligence exposure means your rivals, litigants, and potential partners can reconstruct more about your operations than any single disclosure was intended to reveal. The digital footprint of a $10.7 billion academic medical center is the cumulative result of every federal filing, regulatory enforcement action, certificate issuance, archived web page, and third-party data aggregation — assembling into a composite picture that no single department authorized or intended.