Share this article on:
This month has seen the Office for Civil Rights (OCR) of the HHS issue the largest ever financial penalty for violation of the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules. The data breach was caused when a computer server firewall was deactivated by a physician at Columbia University leaving electronic PHI exposed and accessible via search engines. The data breach was identified when an individual discovered ePHI of a deceased partner when searching on the internet.
The data was held on a server operating within a shared network used by both New York and Presbyterian Hospital (NYP) and Columbia University (CU), under the protection of a shared network firewall. When a personally owned computer server was deactivated by a physician – who had developed applications for the healthcare organization – the data became accessible via the search engines.
An investigation was conducted on NYP and CU by the OCR after a data breach notice was issued jointly by the two healthcare institutions. The incident exposed the ePHI of 6,800 individuals. The data exposed included medications prescribed and medical test results.
The $4.8M settlement is the largest to date and has been issued based on the “factual background” that all parties accept, although neither NYP nor CU has admitted liability for the potential loss of data. The penalty was issued because the entities in question failed to conduct a risk analysis and did not employ the appropriate safeguards to minimize the risk to electronic PHI.
NYP has agreed to cover the bulk of the cost and has now paid the OCR $3.3M, while Columbia University is covering $1.5 million. Both institutions have also agreed to undertake a complete review of their policies and procedures, including developing risk management strategies and conducting a full risk analysis to identify potential security vulnerabilities.
They have also agreed to provide the staff with training on data security and privacy issues. Had these steps been implemented prior to the data breach as required by HIPAA regulations, the data exposure and financial penalty could have been avoided.