On May 8, 2014, the U.S. Department of Health and Human Services (HHS) announced the largest settlement to date for alleged HIPAA violations.
New York-Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report regarding the disclosure of the protected health information (PHI) of 6,800 individuals which included patient status, vital signs, medications and laboratory results.
HHS reported that CU faculty members serve as attending physicians at NYP and the entities jointly operate a shared data network and a shared network firewall administered by employees of both entities. The investigation by the HHS Office for Civil Rights (OCR) found that a physician employed by CU accidently deactivated a server on the system that resulted in PHI being accessible on internet search engines. OCR determined this was possible due to lack of technical safeguards.
Both entities entered into settlement agreements and NYP paid $3.3 million while CU paid $1.5 million.
Valuable lessons can be learned from this investigation. Have you identified all systems that access your PHI? As noted above, HHS attributes NYP’s failure to do so as the cause of its subsequent failure to develop risk management plans identifying potential threats and hazards to the security of PHI. Shared networks introduce the possibility for others outside your organization to cause a breach, even if unintentional. Risks associated with shared networks need to be addressed in your risk analysis.