Columbia University, NY hospital to pay $4.8 million HIPAA fine

Share this article:
Yelp and TinyCo settle with FTC over COPPA Rule violations
The agreement marks the largest HIPAA settlement to date.

Columbia University and an affiliated health care entity, New York-Presbyterian Hospital (NYP), have reached the largest HIPAA settlement to date, bringing resolution to a breach investigation.

The organizations will pay the Department of Health and Human Services' Office for Civil Rights $4.8 million to avoid being found in violation of Health Insurance Portability and Accountability Act of 1996 (HIPAA) privacy and security rules.

According to an HHS announcement released last week, the organizations have also agreed to implement a corrective action plan, which will include risk analysis, development of a risk management plan, staff training, and updating organizational policies and procedures.

HHS began investigating Columbia and NYP after the entities notified the agency of a breach in September 2010 by filing a joint report. The investigation centered around the electronic protected health information (ePHI) of 6,800 people being exposed, which included data about patient status, vital signs, medications and laboratory results, the HHS release said.

The organizations are affiliated in that Columbia University faculty members serve as attending physicians at one of NYP's facilities, New York-Presbyterian Hospital/Columbia University Medical Center.

The breach occurred when a Columbia University physician tried to deactive a computer server, which left the data of NYP patients accessible through a simple online search, HHS revealed.

“The investigation revealed that the breach was caused when a physician employed by CU, who developed applications for both NYP and CU, attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI,” the release said. “Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.  The entities learned of the breach after receiving a complaint by an individual who found the ePHI of the individual's deceased partner, a former patient of NYP, on the internet.”

Under the settlement terms, New York-Presbyterian will pay the bulk of the HIPAA fine, $3.3 million (PDF), while Columbia agreed to shell out the remaining $1.5 million (PDF). The deal comes just after Humana subsidiary Concentra agreed to pay $1.7 million to settle with the HHS over potential HIPAA violations.

Share this article:
You must be a registered member of SC Magazine to post a comment.

Sign up to our newsletters

TOP COMMENTS

More in News

Email promises free pizza, ensnares victims in Asprox botnet instead

Email promises free pizza, ensnares victims in Asprox ...

Cloudmark came upon an email that offers free pizza, but clicking on the link to get the coupon ends with victims being ensnared in a botnet.

Report: most orgs lacking in response team, policies to address cyber incidents

In its Q3 threat intelligence report, Solutionary learned that 75 percent of organizations it assisted had no response team or policies and procedures to address cyber incidents.

Flash redirect campaign impacts Carnegie Mellon page, leads to Angler EK

Flash redirect campaign impacts Carnegie Mellon page, leads ...

Malwarebytes found that, since early July, thousands of sites had been targeted in the campaign.