Earlier this week, the U.S. Department of Health and Human Services’ Office for Civil Rights (“OCR”) reached settlements with New York and Presbyterian Hospital (“NYP”) and Columbia University (“CU”) for alleged violations of the Health Insurance Portability and Accountability Act of 1996 (“HIPAA”).  The entities operate a shared data network and a shared network firewall.  Due to insufficient safeguards, deactivation of a server resulted in Protected Health Information (“PHI”) of approximately 6,800 patients becoming available via internet search engines.  To resolve the matter, NYP paid a monetary settlement of $3,300,000 and CU paid a monetary settlement of $1,500,000.  Both entities also entered into substantive corrective action plans with OCR.

The breach occurred in 2010 when an application developer for NYP and CU attempted to deactivate a computer server on the shared network.  PHI on that network then became publicly available.  NYP and CU learned of the breach when a deceased patient’s partner saw the patient’s PHI online and complained to NYP and CU.  The entities submitted a joint breach report on September 27, 2010.

Upon investigation, OCR found that insufficient precautions had been taken to ensure that the server was secure.  Additionally, OCR found that neither entity had conducted an accurate and thorough risk analysis that identified all systems accessing electronic PHI, which meant that the entities had neglected to develop an adequate risk management plan for electronic PHI.  NYP had also failed to implement sufficient policies and procedures regarding accessing its databases that contain electronic PHI.

This settlement has been added to Cooley’s “Select HIPAA Privacy and Security Enforcement Actions Tracker” that may be accessed on the right side of this page or under the “Resources” tab above.