Four years after providing notice of a data breach incident involving 6,800 individuals, the Department of Health and Human Services (“HHS”) recently announced that two New York hospitals agreed to pay a combined $4.8 million to settle charges that they allegedly violated HIPAA. According to HHS, the two hospitals operate a shared data network and a shared network firewall administered by employees of both entities. Following a three year investigation, HHS concluded that the breach occurred when a physician attempted to deactivate a personal computer server on the network containing patient health information. HHS asserted that “because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.” In bringing charges, HHS concluded that neither organization undertook appropriate efforts prior to the breach to ensure adequate security of the server. HHS further determined that neither hospital had conducted a thorough risk analysis of their systems and concluded that one of the hospitals failed to implement “appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.” This $4.8 million fine is the largest HIPAA settlement to date.
TIP: The fines for violating HIPAA have continued to increase. Covered entities should promptly undertake risk analyses to identify all systems that contain or access protected health information and take steps to ensure that those systems are secure, if they have not done so already.