New York-Presbyterian Hospital and Columbia University have reached settlement agreements totaling $4.8 million with the Office for Civil Rights at HHS more than three years after 6,800 patients' records were exposed on the Internet, including patients' vital signs and lab test results.
The hospital, whose data system was breached, caught the lion's share of the settlement amount, $3.3 million, with the university agreeing to an additional $1.5 million. Each also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk-management plan, revising policies and procedures, training staff and providing progress reports,” according to an HHS statement that pronounces the combined payment to be “the largest HIPAA settlement to date.”