The hospital and the university are separate-covered entities affiliated as New York-Presbyterian Hospital/Columbia University Medical Center and operate a shared data network linked to the hospital's information system, the civil rights office said. The two organizations submitted a joint breach report Sept. 27, 2010, when they received a complaint from an individual who had found a deceased partner's patient information from the hospital on the Internet.
An investigation found the breach was caused when a physician employed by the university, who had developed applications for both the hospital and the university, “attempted to deactivate a personally owned computer server on the network.”
“Because of a lack of technical safeguards, deactivation of the server resulted in ePHI (electronic protected health information) being accessible on Internet search engines,” according to the Office for Civil Rights statement.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” said Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”
The previous record amount for a HIPAA violation was $4.3 million in civil monetary penalties levied in 2011 against Cignet Health, Temple Hills, Md., a company operating a health plan and four physician offices. A subsequent legal fight and court order pushed Cignet's final tab to nearly $4.8 million.
Thus far, there have been 985 reports of breaches large enough to involve 500 or more persons' medical records reported to the Office for Civil Rights and posted on its “wall of shame” website as required by the federal breach notification requirements of the American Recovery and Reinvestment Act of 2009. Those posted breaches account for the exposure of 31.3 million records.