2 NYC Hospitals Pay Record HIPAA Settlement

New York-Presbyterian Hospital and Columbia University Medical Center have agreed to pay $4.8 million for possible HIPAA violations.

May 08, 2014 Robin Hattersley

2 NYC Hospitals Pay Record HIPAA Settlement

The settlement is related to a breach that occurred in 2010 at New York-Presbyterian Hospital and Columbia University Medical Center.

New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) have agreed to pay a $4.8 million settlement for potentially violating the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by failing to secure thousands of patients’ electronic protected health information (ePHI) held on their network.

The payment is the largest HIPAA settlement to date.

The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) initiated its investigation of both organizations following their submission of a joint breach report in 2010 regarding the disclosure of the records of 6,800 individuals, including patient status, vital signs, medications, and laboratory results.

The investigation revealed that the breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines. The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual’s deceased partner, a former patient of NYP, on the internet.

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

NYP has paid OCR $3.3 million and CU $1.5 million, with both entities agreeing to improve date security, including conducting a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

Photo by DRosenbach at English Wikipedia [CC-BY-SA-3.0 (http://creativecommons.org/licenses/by-sa/3.0) or GFDL (http://www.gnu.org/copyleft/fdl.html)], via Wikimedia Commons

If you appreciated this article and want to receive more valuable industry content like this, click here to sign up for our FREE digital newsletters!

About the Author

Robin Hattersley, Editor-in-Chief

Contact:

Robin has been covering the security and campus law enforcement industries since 1998 and is a specialist in school, university and hospital security, public safety and emergency management, as well as emerging technologies and systems integration. She joined CS in 2005 and has authored award-winning editorial on campus law enforcement and security funding, officer recruitment and retention, access control, IP video, network integration, event management, crime trends, the Clery Act, Title IX compliance, sexual assault, dating abuse, emergency communications, incident management software and more. Robin has been featured on national and local media outlets and was formerly associate editor for the trade publication Security Sales & Integration. She obtained her undergraduate degree in history from California State University, Long Beach.