New York Presbyterian Hospital and Columbia University will pay the Department of Health and Human Services a combined $US4.8 million to settle potential violations of medical privacy laws. The amount of the settlement makes it the largest such payment in history.
The payment settles problems that arose in 2010, when the health records of 6,800 patients ended up online and fully Google-able. “The entities learned of the breach after receiving a complaint by an individual who found the ePHI [identifiable health records] of the individual’s deceased partner, a former patient of NYP, on the internet,” HHS explained in a press release.
The data breach included patients’ “status, vital signs, medications, and laboratory results,” information that is closely guarded by privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Through a joint arrangement, Columbia University’s faculty members serve as attending doctors at New York Presbyterian. Their partnership is referred to as “New York Presbyterian Hospital/Columbia University Medical Center.”
“The hospital, whose data system was breached, caught the lion’s share of the settlement amount, $US3.3 million, with the university agreeing to an additional $US1.5 million,” notes Modern Healthcare.
Both institutions have cooperated since notifying HHS of the breach.
“The inquiry arose after NYP and CUMC reported to HHS the inadvertent leakage of certain patient data to Internet search engines when a computer server was errantly reconfigured,” a spokesperson for NYP told Business Insider, in an emailed statement. “Affected individuals were notified personally, as were media outlets… and there was no indication at the time or subsequently that any information was accessed or used inappropriately.”
As part of the settlement, both institutions have agreed to “a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.”
Here’s how the private medical information became public, according to the HHS investigation:
The breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
The fact that this breach happened at two major, widely respected institutions, “who you expect to be the leader,” is particularly worrisome, Rachel Seeger, of HHS’s Office for Civil Rights, told Government Health IT. “You can only imagine what’s happening at your child’s pediatrician office.”
Indeed, data breaches at hospitals and doctors’ offices are not rare.
The latest report from the Ponemon Institute, which studies privacy and security, found that 90% of surveyed healthcare institutions had at least one data breach within the past two years. Thirty-eight per cent have had more than five such incidents, a slight decline from last year, when that number was 45%.
Since 2009, more than 31.3 million patients have been affected by healthcare breaches that involved 500 people or more, which HHS is required by law to make public.
Here’s the full statement from NYP/CUMC:
NOW WATCH: Briefing videos
Business Insider Emails & Alerts
Site highlights each day to your inbox.