Data Breach Results in $4.8 Million in HIPAA Settlements
Two health care organizations have agreed to settle charges that they potentially violated the HIPAA Privacy and Security Rules by not securing thousands of patients’ electronic protected health information (ePHI) held on their network. The combined monetary settlement totals $4.8 million and is the largest HIPAA settlement to date. The U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) investigated New York and Presbyterian Hospital (NYP) and Columbia University (CU) after they submitted a joint breach report on September 27, 2010, regarding the disclosure of the ePHI of nearly 7,000 individuals. NYP and CU are separate covered entities, but operate a shared data network and a shared network firewall that is administered by employees of both entities. Read more.
OCR’s investigation also found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections and determined that neither entity had conducted an accurate risk analysis. Neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management. NYP has paid OCR a monetary settlement of $3.3 million and CU has paid $1.5 million, with both entities agreeing to a substantive corrective action plan.