Server mishap results in largest HIPAA fine to date

A breach of electronic protected health information impacting 6,800 individuals at two New York-area hospitals discovered in the summer of 2010 has resulted in the largest HIPAA settlement to date--$3.3 million.

For the breach, New York-Presbyterian Hospital and Columbia University were fined a total of $4.8 million, according to an announcement from the U.S. Department of Health & Human Services. NYP paid $3.3 million, while CU paid $1.5 million.

The breach involved a CU physician who had developed applications for both facilities, which participate in an arrangement where CU faculty serve as attending physicians at NYP. The physician tried to deactivate a personally owned computer server on the network holding data for NYP patients. "Lack of technical safeguards" caused the information to be accessible on Internet search engines.

The breach was brought to the attention of the facilities after an individual found information on a deceased partner--who had been a patient at NYP--online. The breached information included patient statuses, vital signs, medications and laboratory results, as well as 10 Social Security numbers.

"When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information," Christina Heide, acting deputy director of health information privacy for the Office for Civil Rights, said in the statement. "Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems."

OCR determined that neither organization had made efforts before the breach to ensure the security of the server. Additionally, both facilities failed to develop "adequate risk management" plans.

Just last month, OCR fined two healthcare organizations a total of $2 million for failing to encrypt laptops that eventually were stolen.

And an analysis of malicious traffic by The SANS Institute published in February determined that the networks and Internet-connected devices of healthcare organizations--from hospitals to insurance carriers to pharmaceutical companies--are being compromised at an "alarming" frequency.

Last summer, information for more than 3,000 patients at Oregon Health & Science University was put at risk when medical residents stored the data on a password protected cloud computing system.

To learn more:
- read the HHS announcement