A HIPAA violation occurred because of an “inadvertent data leak that stemmed from a physician’s attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million” as reported by Computerworld. According to the US Department of Health and Human Services (HHS) who fined NYP $3.3 million and CU $1.5 million for for a HIPAA (Health Insurance Portability and Accountability Act of 1996) impermissible disclosure of ePHI (electronic Protected Health Information):
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to “deactivate” a personally owned computer from a New York Presbyterian network segment that contained sensitive patient health information…
The $3.3 million settlement with NYP is the largest ever obtained by the HHS for a violation of HIPAA security rules.
Apparently NYP and CU share a computer network, but Computerworld reported that “it is not clear why a physician had a personally owned system connected to the network, or why he was attempting to “deactivate” it.”
Computerworld also reported that NYP and CU issued a joint statement that:
…the two hospitals blamed the leakage on an “errantly configured” computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
HHS reported about the investigation by the Office of Civil Rights (OCR):
In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.
Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.
As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.
Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
Obviously we will continue to see more HIPAA violation headlines, but who would have imaged that a physician would have caused at $4.8 million HIPAA violation nor that hospitals would make no effort to assure secure ePHI servers.