Record Breaking HIPAA Penalty
NY Presbyterian Hospital (NYP) and Columbia University School of Medicine (CU) have jointly agreed to pay $4.8 million after a 3+ year investigation by the U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR) for failure to safeguard electronic protected health information (e-PHI) that caused an information data breach in 2010. The incident is attributed to several factors, including lack of risk analysis, disregard to implement and follow security policies, and failure to execute a risk management plan.NYP and CU released a joint statement to Information Security Media Group saying, “
[We] are committed to providing not only the highest levels of medical care to our patients but also handling their personal and medical data with the greatest respect and integrity. For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question, as well as undertaking substantial efforts concerning the protection of privacy and security of patient data. We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS.”
According to OCR, a physician employed by CU developed applications that brought together data from NYP and CU. The physician collected and stored the data on a personal computer server that was not owned or maintained as part of the hospital’s information network and operated behind the network firewall jointly operated by CU and NYP. When the physician made modifications and tried to deactivate the server it allowed access to the information through an open internet connection. The health information of 6,800 patients, including patient status, medications, laboratory results and other sensitive data was stored on the server was copied by web-crawlers operated by one or more Internet search engines. Ultimately, the disclosure of the patient information was discovered on the internet by a deceased patient’s next-of-kin.
In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections. Specifically, NYP permitted systems that were not owned or maintained by the hospital to have access to the network firewall. Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI. As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI. Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.
“When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information,” says Christina Heide, acting deputy director of health information privacy for OCR. “Our cases against NYP and CU should remind healthcare organizations of the need to make data security central to how they manage their information systems.”
NYP has paid OCR a monetary settlement of $3.3 million and Columbia $1.5 million. The combined fine is the largest total payment we have seen yet however the largest to a single organization was in 2011 when Cignet Health had a civil penalty of $4.3 million. Additionally, according to OCR, the investigation against NYP and Columbia resulted in both entities agreeing to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports. HHS/OCRs corrective action plan for NYP can be found here and the agreement for Columbia can be found here.