Many thanks once again to our colleague, Robin Canowitz, for authoring this post.
In the largest HIPAA settlement yet to be announced, two New York organizations have agreed to pay $4.8 million to settle allegations that they failed to secure the electronic health information (ePHI) of thousands of their patients. New York Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report in September of 2010, indicating that the disclosure of ePHI of 6,800 individuals included patient status, vital signs, medications and laboratory results. The organizations are separate entities for HIPAA purposes, but operated a shared data network which was administered by employees of both entities.
According to the U.S. Department of Health & Human Services (HHS) Office of Civil Rights (OCR), the breach was caused when a physician employed by both entities attempted to deactivate a personally owned computer server on a network containing ePHI from NYP. Due to a lack of technical safeguards, the deactivation of the server resulted in ePHI being accessible on internet search engines. OCR noted that its investigation also revealed that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and contained appropriate protections. Further, OCR determined that neither entity had conducted an accurate and thorough risk analysis of their systems which accessed ePHI.
NYP agreed to pay a monetary settlement of $3.3 million, while CU agreed to pay $1.5 million. Both entities have also agreed to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports.
You can read the corrective action plans here.