New York-Presbyterian Hospital and Columbia University have reached settlement agreements totaling $4.8 million with the Office for Civil Rights at HHS
following the exposure to the Internet more than three years ago of 6,800 patients' records, including the patients' vital signs and lab test results.
The hospital, whose data system was breached, caught the lion's share of the settlement amount, $3.3 million, with the university agreeing to an additional $1.5 million. Each also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports,” according to an HHS statement
that pronounces the combined payment to be “the largest HIPAA
settlement to date.”
The hospital and the university are separate-covered entities affiliated as New York-Presbyterian Hospital/Columbia University Medical Center and operate a shared data network linked to the hospital's information system, the civil rights office said. The two organizations submitted a joint breach
report Sept. 27, 2010, when they received a complaint from an individual who had found a deceased partner's patient information from the hospital on the Internet.
An investigation found the breach was caused when a physician employed by the university, who had developed applications for both the hospital and the university, “attempted to deactivate a personally owned computer server on the network.”
“Because of a lack of technical safeguards, deactivation of the server resulted in ePHI (electronic protected health information) being accessible on Internet search engines,” according to the Office for Civil Rights statement.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”
The previous record amount for a HIPAA violation was $4.3 million in civil monetary penalties levied in 2011 against Cignet Health
, Temple Hills, Md., a company operating a health plan and four physician offices. A subsequent legal fight and court order pushed Cignet's final tab to nearly $4.8 million.
Thus far, there have been 985 reports of breaches large enough to involve 500 or more persons' medical records reported to the Office for Civil Rights and posted on its “wall of shame” website
as required by the federal breach notification requirements of the American Recovery and Reinvestment Act of 2009
. Those posted breaches account for the exposure of 31.3 million records. Follow Joseph Conn on Twitter: @MHJConn