An inadvertent data leak that stemmed from a physician’s attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS).
The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday. New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint.
The hospitals also agreed to take “substantive” corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. The HHS will also be provided with periodic progress updates under the agreement.
“Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems,” the statement said.
The $3.3 million settlement with New York Presbyterian is the largest ever obtained by the HHS for a violation of HIPAA security rules.
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to “deactivate” a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.
The two health care organizations have a mutual agreement under which CU faculty members serve as physicians at NYP. The two entities operate a shared network that links to systems contacting patient health data at NYP.
It is not clear why a physician had a personally owned system connected to the network, or why he was attempting to “deactivate” it.
In a joint statement, the two hospitals blamed the leakage on an “errantly configured” computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
The leak was discovered after the hospitals received a complaint from an individual who discovered personal health information about his or her deceased partner on the Web.
An investigation by the HHS Office for Civil Rights (OCR) found that neither CU nor NYP had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network.
The OCR also faulted New York Presbyterian not ensuring that only properly authorized systems could access patient data.
In an email, NYP and CU said they have taken substantial steps to strengthen data security controls following the breach.
“For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question,” the statement said. “We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS.”
HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations.
In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data.
Last December, a Massachusetts dermatology clinic agreed to pay $150,000 to settle an HHS investigation into the loss of a thumb drive containing unencrypted patient health information.