New York-Presbyterian Hospital (NYP) and Columbia University (CU) Medical Center have paid $4.8 million to settle HIPAA violations of failing to secure thousands of patients' electronic protected health information (ePHI) on their networks, including patient status, vital signs, medications, and laboratory results. The breach, which affected 6,800 patients, is the largest in HIPAA history.
The breach occurred when a CU physician, who developed applications for both NYP and CU, attempted to deactivate a personally owned computer server on the network that contained NYP patient ePHI, according to statement by the U.S. Department of Health and Human Services (HHS). Deactivation of the server resulted in ePHI being accessible on Internet search engines because of a lack of technical safeguards. The breach was discovered after a complaint was filed by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the Internet.
NYP has paid $3.3 million and CU has paid $1.5 million to the HHS Office for Civil Rights (OCR).
NYP and CU operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.
The investigation found that neither NYP nor CU made efforts prior to the breach to ensure that the server was secure and that it contained appropriate software protections. Moreover, the OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.
"Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems," OCR spokeswoman Christina Heide said.
A dental practice is covered by HIPAA if it sends a "covered transaction" in electronic form, such as submitting a claim to a dental plan, or if another party such as a clearinghouse sends an electronic covered transaction on behalf of the dental practice, according to the ADA.