$4.8 Million Settlement for Breach

Heftiest HIPAA Penalty Yet from Federal Regulators

By , May 7, 2014.
$4.8 Million Settlement for Breach

The Department of Health and Human Services has issued its largest HIPAA enforcement action to date, entering settlements totaling $4.8 million with two New York organizations tied to the same 2010 breach. The incident, which involved unsecured patient data on a network, affected about 6,800 patients.

See Also: OPM Breach Aftermath: How Your Agency Can Improve on Breach Prevention Programs

The settlements with New York-Presbyterian Hospital and Columbia University cite, among other factors, the lack of a risk analysis and failure to implement appropriate security policies.

In a joint statement provided to Information Security Media Group, the two New York organizations say, "[We] are committed to providing not only the highest levels of medical care to our patients but also handling their personal and medical data with the greatest respect and integrity. For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question, as well as undertaking substantial efforts concerning the protection of privacy and security of patient data. We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS."

Commenting on the size of the penalty in the settlement, security expert Brian Evans, principal consultant of Tom Walsh Consulting, notes: "I would expect to see these kinds of settlements since OCR has repeatedly stated that they are stepping up their enforcement actions."

Breach Investigation

HHS' Office for Civil Rights initiated its investigation after the two New York organizations submitted a joint breach report, dated Sept. 27, 2010, regarding the disclosure of the electronic personal health information, including patient status, vital signs, medications and laboratory results.

Columbia University faculty members serve as attending physicians at NY Presbyterian. The entities refer to their affiliation as "New York Presbyterian Hospital/Columbia University Medical Center."

NY Presbyterian and Columbia University operate a shared data network and a shared network firewall administered by employees of both entities. The shared network links to NY Presbyterian patient information systems containing electronic protected health information, according to OCR.

The OCR investigation revealed that the breach was caused when a physician employed by the university who developed applications for both NY Presbyterian and Columbia University attempted to deactivate a personally owned computer server on the network containing information on hospital patients.

Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on Internet search engines. The entities learned of the breach after receiving a complaint from an individual who found the ePHI of the individual's deceased partner, a former patient at NY Presbyterian, on the Internet.

In addition to the impermissible disclosure of ePHI on the Internet, OCR's investigation found that neither NY Presbyterian nor Columbia University made efforts before the breach to ensure that the server was secure and that it contained appropriate software protections, OCR says.

"Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI," OCR says in a statement. "As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI."

NY Presbyterian failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management, OCR says.

"When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information," says Christina Heide, acting deputy director of health information privacy for OCR. "Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems."

NY Presbyterian has paid OCR a monetary settlement of $3.3 million, while Columbia University has paid $1.5 million. Also, both entities agreed to a corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports, OCR reports.

Follow Marianne Kolbasuk McGee on Twitter: @HealthInfoSec

  • Print
  • Tweet Like LinkedIn share
Get permission to license our content for reuse in a myriad of ways.
ARTICLE Airline 'Hack' Was Denial of Service

A "deliberate" denial-of-service attack against state-owned LOT Polish Airlines resulted in ground...

Latest Tweets and Mentions

ARTICLE Airline 'Hack' Was Denial of Service

A "deliberate" denial-of-service attack against state-owned LOT Polish Airlines resulted in ground...

The ISMG Network