New York-Presbyterian Hospital (NYP) and Columbia University have agreed to pay a combined $4.8 million – the largest HIPAA settlement ever involving a single incident – to settle charges that they violated the HIPAA Privacy and Security Rules by accidentally making the electronic protected health information of their patients accessible to Internet search engines. The Department of Health and Human Services’ Office for Civil Rights (OCR) launched its investigations after the entities – which operate a shared data network and firewall – notified it of the breach. As part of the settlement, NYP will pay $3.3 million, and Columbia will pay $1.5 million. The entities also agreed to undertake risk analyses, develop risk management plans, revise their existing policies and procedures, and provide training on privacy and security awareness.