Columbia University, NY hospital to pay $4.8 million HIPAA fine

Share this article:
Columbia University, NY hospital to pay $4.8 million HIPAA fine
The agreement marks the largest HIPAA settlement to date.

Columbia University and an affiliated health care entity, New York-Presbyterian Hospital (NYP), have reached the largest HIPAA settlement to date, bringing resolution to a breach investigation.

The organizations will pay the Department of Health and Human Services' Office for Civil Rights $4.8 million to avoid being found in violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

According to an HHS announcement released last week, the organizations have also agreed to implement a corrective action plan, which will include risk analysis, development of a risk management plan, staff training, and updating organizational policies and procedures.

HHS began investigating Columbia and NYP after the entities notified the agency of a breach in September 2010 by filing a joint report. The investigation centered around the electronic protected health information (ePHI) of 6,800 people being exposed, which included data about patient status, vital signs, medications and laboratory results, the HHS release said.

The organizations are affiliated in that Columbia University faculty members serve as attending physicians at one of NYP's facilities, New York-Presbyterian Hospital/Columbia University Medical Center.

The breach occurred when a Columbia University physician tried to deactive a computer server, which left the data of NYP patients accessible through a simple online search, HHS revealed.

“The investigation revealed that the breach was caused when a physician employed by CU, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI,” the release said. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.”

Under the settlement terms, New York-Presbyterian will pay the bulk of the HIPAA fine, $3.3 million (PDF), while Columbia agreed to shell out the remaining $1.5 million (PDF). The deal comes just after Humana subsidiary Concentra agreed to pay $1.7 million to settle with the HHS over potential HIPAA violations.

Share this article:

Sign up to our newsletters

More in News

Hackers deliver Kelihos to users sympathetic to Russian 'cause'

Hackers deliver Kelihos to users sympathetic to Russian ...

Playing off the Ukraine conflict, a Kelihos campaign promises victims software to help the Russian cause but delivers malware instead.

Study shows how attackers make use of websites existing for less than 24 hours

Study shows how attackers make use of websites ...

Looking at the top 50 of parent domains that produced websites existing for less than 24 hours, researchers with Blue Coat Security Labs observed that 22 percent were malicious.

Phishing campaign lures victims with models' photos

Two nude models' photos reeled in unsuspecting victims who handed over their Facebook logins to gain access to adult material.