The U.S. Department of Health and Human Services recently reported the outcome of an almost five-year-long lawsuit process that involved a major data breach of two different healthcare organizations. The Department stated that the two organizations involved agreed to settle charges that they potentially violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy and Security Rules by not effectively securing thousands of patients’ electronic protected health information (ePHI) held on their networks. The total in settlement payments comes out to $4.8 million—the largest HIPAA settlement to date.
The data breaches go back to September of 2010 when the U.S. Department of Health and Human Services Office for Civil Rights initiated its investigation of New York and Presbyterian Hospital and Columbia University after they submitted a joint breach report. The breach report detailed that the ePHI of over 6,800 individuals had been disclosed, including information about patient status, vital signs, laboratory results, diagnoses, and medications prescribed. Both organizations are heavily intertwined, as Columbia University faculty members frequently serve as visiting physicians at New York and Presbyterian Hospital, and the two entities frequently use “the New York Presbyterian Hospital/Columbia University Medical Center” to refer to their joint affiliation. Thus, the data breach, while involving two technically separate healthcare organizations, really refers to one breach rather than more than one. The two entities utilize a shared data network, as well as a firewall that is operated by employees from both entities.
The source of the data breach is complex, but investigation has traced it back to a Columbia University physician attempting to deactivate a personally-owned computer server on the shared data network. The lack of technical safeguards in place coupled with that deactivation resulted in the ePHI of thousands of individuals being accessible on public Internet search engines. When one individual contacted New York and Presbyterian Hospital and Columbia University about accessing a deceased partner’s personal health information on the Internet, the reality of the breach came to surface.
The settlement agreed upon by both entities comes after investigation revealed that neither entity made efforts before the breach to ensure that the server contained appropriate software protections for securing health information.
According to a study in the Journal of the American Medical Association, reported data breaches of protected health information increased and involved approximately 29 million records between 2010 and 2013. Most of these data breaches were the result of over criminal activity.