It would be pretty unsettling if your patient status, vital signs, medications, and laboratory results were available for the world to see on Google, wouldn’t it? According to recent settlement agreements announced by the Department of Health and Human Services (“HHS”) on May 7, 2014, that’s exactly what happened when New York and Presbyterian Hospital (“Presbyterian”) and Columbia University (“Columbia”) suffered a data breach, and the covered entities are paying the price. Presbyterian agreed to pay $3.3 million in its settlement and Columbia agreed to pay $1.5 million in its settlement. The settlement agreements resolve alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) arising out of a breach of electronic protected health information (“ePHI”) that made the information of 6,800 individuals accessible via search engines, like Google.
The HHS Office for Civil Rights (“OCR”) began its investigation of Presbyterian and Columbia after receiving a joint notice of the breach back in 2010 and subsequently uncovered additional alleged violations of HIPAA. The entities filed a joint breach notice because, operating under an agreement whereby Columbia physicians acted as attending physicians at Presbyterian, they share a data network and a firewall. During its investigation, OCR discovered that the breach, caused by the deactivation of a server, was only the beginning of the entities’ compliance woes. OCR found that the entities’ servers lacked technical safeguards, which, had they been in place, would have prevented ePHI from being accessible from search engines. OCR also found that neither entity had made efforts to secure their servers before the breach, nor had they conducted a thorough enough risk analysis that would have enabled them to create an adequate risk management plan.
The magnitude of the settlements (HHS reported that the monetary payments of $4.8 million include the largest HIPAA settlement to date) shows the importance of technical safeguards and assessing vulnerability in preventing unauthorized access to PHI. The entities are learning this the hard way; in addition to the monetary settlements, Presbyterian and Columbia are also entering into a corrective action plan. As part of the plan, the entities will have to perform a risk analysis, develop a risk management plan, and provide ongoing reports to HHS, among other requirements. In announcing the settlement, Acting Deputy Director of Health Information Privacy for OCR Christina Heide said that the settlements “should remind health care organizations of the need to make data security central to how they manage their information systems.”
To read the HHS press release, click here.