25% off all training courses Offer ends May 29, 2026
View HIPAA Courses
Learner Login Learner Support
Learner Login Learner Support
25% off all training courses
View HIPAA Courses
Offer ends May 29, 2026

The HIPAA Journal is the leading provider of HIPAA training, news, regulatory updates, and independent compliance advice.

HIPAA Violation and Data Breach Results in 4.8M Fine

Posted By on May 6, 2014

This month has seen the Office for Civil Rights (OCR) of the HHS issue the largest ever financial penalty for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. The data breach was identified when an individual discovered ePHI of a deceased partner when searching on the internet.

The data was held on a server operating within a shared network used by both New York and Presbyterian Hospital (NYP) and Columbia University (CU), under the protection of a shared network firewall. When a personally owned computer server was deactivated by a physician – who had developed applications for the healthcare organization – the data became accessible via the search engines.

An investigation was conducted on NYP and CU by the OCR after a data breach notice was issued jointly by the two healthcare institutions. The incident exposed the ePHI of 6,800 individuals. The data exposed included medications prescribed and medical test results.

The $4.8M settlement is the largest to date and has been issued based on the “factual background” that all parties accept, although neither NYP nor CU has admitted liability for the potential loss of data. The penalty was issued because the entities in question failed to conduct a risk analysis and did not employ the appropriate safeguards to minimize the risk to electronic PHI.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

NYP has agreed to cover the bulk of the cost and has now paid the OCR $3.3M, while Columbia University is covering $1.5 million. Both institutions have also agreed to undertake a complete review of their policies and procedures, including developing risk management strategies and conducting a full risk analysis to identify potential security vulnerabilities.

They have also agreed to provide the staff with training on data security and privacy issues. Had these steps been implemented prior to the data breach as required by HIPAA regulations, the data exposure and financial penalty could have been avoided.

Author: Steve Alder is the editor-in-chief of The HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist