[We] are committed to providing not only the highest levels of medical care to our patients but also handling their personal and medical data with the greatest respect and integrity. For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question, as well as undertaking substantial efforts concerning the protection of privacy and security of patient data. We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS.”
According to OCR, a physician employed by CU developed applications that brought together data from NYP and CU. The physician collected and stored the data on a personal computer server that was not owned or maintained as part of the hospital’s information network and operated behind the network firewall jointly operated by CU and NYP. When the physician made modifications and tried to deactivate the server it allowed access to the information through an open internet connection. The health information of 6,800 patients, including patient status, medications, laboratory results and other sensitive data was stored on the server was copied by web-crawlers operated by one or more Internet search engines. Ultimately, the disclosure of the patient information was discovered on the internet by a deceased patient’s next-of-kin.
In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Specifically, NYP permitted systems that were not owned or maintained by the hospital to have access to the network firewall. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” says Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”
NYP has paid OCR a monetary settlement of $3.3 million and Columbia $1.5 million. The combined fine is the largest total payment we have seen yet however the largest to a single organization was in 2011 when Cignet Health had a civil penalty of $4.3 million. Additionally, according to OCR, the investigation against NYP and Columbia resulted in both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. HHS/OCRs corrective action plan for NYP can be found here and the agreement for Columbia can be found here.