New York-Presbyterian Hospital Pays $3.3 Million in Largest HIPAA Data Breach Settlement to Date

Author: Gloria Ju

May 9, 2014

New York-Presbyterian Hospital (NYP) has agreed to pay $3.3 million in a data breach settlement under the Health Insurance Portability and Accountability Act (HIPAA), resulting in the largest settlement of its kind to date. Covered entities that participate in joint HIPAA compliance arrangements share the burden of addressing the risks to protected health information. Failing to secure thousands of patients' electronic protected health information (ePHI) cost NYP and Columbia University (CU) a total of $4.8 million for potential HIPAA violations.

NYP and CU are separate covered entities that participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. They operate a shared data network and a shared network firewall that is administered by employees of both entities. The shared network links to NYP patient information systems containing ePHI.

The US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) found that 6,800 individuals' ePHI, including patient status, vital signs, medications and laboratory results, became accessible on internet search engines. The breach was caused when a physician employed by CU, who developed applications for both NYP and CU, tried to deactivate a personally owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in the impermissible disclosure of the ePHI. The breach was discovered by an individual who found the ePHI of the individual's deceased partner, a former NYP patient, on the internet.

OCR also found that neither NYP nor CU had:

  • Made efforts prior to the breach to ensure that the personally owned server was secure and contained appropriate software protections;
  • Conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI; or
  • Developed an adequate risk management plan that addressed potential threats and hazards to ePHI security.

NYP also failed to:

  • Implement appropriate policies and procedures for authorizing access to its databases; or
  • Comply with its own policies on information access management.

As a result of the breach, CU agreed to pay $1.5 million. Both entities agreed to take the following corrective action, collaborating as needed:

  • Conduct a comprehensive and thorough risk analysis;
  • Develop and implement a risk management plan;
  • Review and revise information access management policies and procedures;
  • Implement a process for evaluating environmental and operational changes;
  • Review and revise device and media controls policies and procedures; and
  • Develop or enhance a privacy and security awareness training program.