Columbia University, NY hospital to pay $4.8 million HIPAA fine

Share this article:
Columbia University, NY hospital to pay $4.8 million HIPAA fine
The agreement marks the largest HIPAA settlement to date.

Columbia University and an affiliated health care entity, New York-Presbyterian Hospital (NYP), have reached the largest HIPAA settlement to date, bringing resolution to a breach investigation.

The organizations will pay the Department of Health and Human Services' Office for Civil Rights $4.8 million to avoid being found in violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

According to an HHS announcement released last week, the organizations have also agreed to implement a corrective action plan, which will include risk analysis, development of a risk management plan, staff training, and updating organizational policies and procedures.

HHS began investigating Columbia and NYP after the entities notified the agency of a breach in September 2010 by filing a joint report. The investigation centered around the electronic protected health information (ePHI) of 6,800 people being exposed, which included data about patient status, vital signs, medications and laboratory results, the HHS release said.

The organizations are affiliated in that Columbia University faculty members serve as attending physicians at one of NYP's facilities, New York-Presbyterian Hospital/Columbia University Medical Center.

The breach occurred when a Columbia University physician tried to deactive a computer server, which left the data of NYP patients accessible through a simple online search, HHS revealed.

“The investigation revealed that the breach was caused when a physician employed by CU, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI,” the release said. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.”

Under the settlement terms, New York-Presbyterian will pay the bulk of the HIPAA fine, $3.3 million (PDF), while Columbia agreed to shell out the remaining $1.5 million (PDF). The deal comes just after Humana subsidiary Concentra agreed to pay $1.7 million to settle with the HHS over potential HIPAA violations.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

More in News

Tinba variant aimed at U.S., international banks

Tinba variant aimed at U.S., international banks

Researchers at AVAST have unlocked a Tinba variant and discovered it has been customized to target U.S. financial institutions.

Adobe makes delayed updates for Reader, Acrobat available

The Reader and Acrobat fixes were delayed a week due to issues found during testing.

Nigerian police search for ringleader in major bank heist

The suspect, Godswill Oyegwa Uyoyou, conspired with others to hack bank systems and divert 6.28 billion Naira to mule accounts.