Largest privacy breach payment to date since HIPAA enforcement in 2003
Capping off a three year inquiry into a data breach of thousands of patient health records, the U.S. Department of Health and Human Services (HHS) Office for Civil Rights (OCR) ordered New York Presbyterian Hospital (NYP) and Columbia University (CU) to pay $4.8 million in settlement fees earlier this month. This marks the largest payment for a privacy breach to date since the enforcement of HIPAA’s Privacy Rule took effect in 2003.
NYP and CU operate Columbia University Medical Center under a joint venture, and operate a shared data network and network firewall that is overseen by employees at both organizations. According to the U.S. Department of Health and Human Services, the shared network connects to NYP patient data systems that contain electronic protected health information (ePHI). The breach occurred in September 2010, when a physician at Columbia University deactivated a PC server on the network that contained ePH. Due to inefficient data protection on the server, nearly 7,000 patient records, which contained information such as vital signs, medications, lab results and other status reports became accessible on internet search engines. Hospital representatives claimed they had no knowledge of the breach until the partner of a deceased patient discovered ePHI on the internet and notified hospital officials.
While none of the ePHI records were found to have been accessed for unlawful purposes, the OCR found that both NYP and CU failed to conduct necessary risk analysis , security test and software protection updates prior to the breach, which would have identified all systems that access NYP ePHI. The investigation also revealed that neither group had set up proper risk management and security procedures to manage data and privacy breaches. As part of the settlement agreement, both NYP and CU have revamped patient privacy standards throughout the facility, including risk analysis and risk management policies, as well as creating new training procedures and education for staff about network security. NYP paid OCR $3.3 million in settlement fees and CU covered the remaining $1.5 million.
As the case demonstrates, an accidental technical error can cause massive damage to network and data systems, exposing confidential information across the web with the flip of a switch or a disconnection. With thousands of patient records on file, health care organizations must be vigilant about network security and risk management procedures.
This settlement demonstrates the enormous exposure facing all types of institutions, especially health organizations, from data breaches to the significant money involved. To reiterate, not one of the ePHI records were found to have been used or accessed for any unlawful purpose: the fine was purely for the breach. There are various insurance products that may cover and address some of the costs associated with privacy and data breaches. It is incumbent upon risk managers and organizations to focus upon not only the prevention, but also the resilience and agility to respond. We urge you to consult your WGA Client Executive for further information on cyber insurance products and information.
About the Author
Ann Mizner McKay is the General Counsel and Senior Vice President at WGA. She manages the legal affairs of the company and also serves as the Claims Practice Leader for the firm. She has extensive experience and knowledge in various types of risks including technology, healthcare, business service, environmental, energy, life sciences, financial institutions and other business risks.