New York–Presbyterian Hospital and Columbia University have reached settlement agreements with the Federal Office for Civil Rights that together represent the largest HIPAA settlement ever – $4.8 million in total. The agreements resolve charges involving a 2010 data breach that reportedly exposed the electronic protected health information (ePHI) of 6,800 patients at the two New York-based hospitals.
According to the HHS press release, the breach occurred when a Columbia University physician attempted to deactivate a personally owned computer server that contained ePHI of the hospital's patients. Due to a "lack of technical safeguards," deactivation of the server resulted in ePHI being accessible on Internet search engines. The breach was not discovered until an individual found the ePHI of the individual’s deceased partner, a former hospital patient, on the Internet.
The hospital agreed to pay $3.3 million, and the university an additional $1.5 million, to resolve the HIPAA charges. Each entity also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports”, according to the HHS press release.