The U.S. Department of Health and Human Services’ Office for Civil Rights (OCR) recently announced that New York Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) have agreed to pay fines of $4.8 million to settle charges that they violated HIPAA rules by failing to secure 6,800 patients’ electronic protected health information (ePHI) (h/t Computerworld).
NYP and CU operate a shared data network and a shared firewall. The breach was caused when a CU physician tried to deactivated a personally-owned server on the network. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines,” OCR said in a statement.
The breach was discovered when someone complained to NYP after finding their deceased partner’s ePHI online.
An investigation determined that neither organization had made any efforts prior to the breach to ensure that the server was secure, and neither had developed an adequate risk management plan. NYP had also failed to implement appropriate policies and procedures for authorizing access to its databases, and had failed to comply with its own information access management policies.
NYP was fined $3.3 million, and CU was fined $1.5 million. Both organizations have agreed to undertake a risk analysis, develop a risk plan, revise policies and procedures, train staff, and provide progress reports.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” Christina Heide, Acting Deputy Director of Health Information Privacy for OCR, said in a statement. “Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems.”