New York-Presbyterian Hospital and Columbia University have reached settlement agreements totaling $4.8 million with the Office for Civil Rights at HHS more than three years after 6,800 patients' records were exposed on the Internet, including patients' vital signs and lab test results.
The hospital, whose data system was breached, caught the lion's share of the settlement amount, $3.3 million, with the university agreeing to an additional $1.5 million. Each also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk-management plan, revising policies and procedures, training staff and providing progress reports,” according to an HHS statement that pronounces the combined payment to be “the largest HIPAA
settlement to date.”
The hospital and the university are separate covered entities affiliated as New York-Presbyterian Hospital/Columbia University Medical Center and operate a shared data network linked to the hospital's information system, the OCR said. The organizations submitted a joint breach
report Sept. 27, 2010, after receiving a complaint from an individual who found a deceased partner's patient information from the hospital on the Internet.
An investigation found the breach was caused when a physician employed by the university, who had developed applications for both the hospital and the university, “attempted to deactivate a personally owned computer server on the network. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI (electronic protected health information) being accessible on Internet search engines,” according to an OCR statement. Follow Joseph Conn on Twitter: @MHJConn