New York Presbyterian Hospital and Columbia University will pay the Department of Health and Human Services a combined $4.8 million to settle potential violations of medical privacy laws. The amount of the settlement makes it the largest such payment in history.
The payment settles problems that arose in 2010, when the health records of 6,800 patients ended up online and fully Google-able. "The entities learned of the breach after receiving a complaint by an individual who found the ePHI [identifiable health records] of the individual’s deceased partner, a former patient of NYP, on the internet," HHS explained in a press release.
The data breach included patients' "status, vital signs, medications, and laboratory results," information that is closely guarded by privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA).
Through a joint arrangement, Columbia University's faculty members serve as attending doctors at New York Presbyterian. Their partnership is referred to as "New York Presbyterian Hospital/Columbia University Medical Center."
"The hospital, whose data system was breached, caught the lion's share of the settlement amount, $3.3 million, with the university agreeing to an additional $1.5 million," notes Modern Healthcare.
Both institutions have cooperated since notifying HHS of the breach.
"The inquiry arose after NYP and CUMC reported to HHS the inadvertent leakage of certain patient data to Internet search engines when a computer server was errantly reconfigured," a spokesperson for NYP told Business Insider, in an emailed statement. "Affected individuals were notified personally, as were media outlets... and there was no indication at the time or subsequently that any information was accessed or used inappropriately."
As part of the settlement, both institutions have agreed to "a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports."
Here's how the private medical information became public, according to the HHS investigation:
The breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Because of a lack of technical safeguards, deactivation of the server resulted in ePHI being accessible on internet search engines.
While this incident was especially newsworthy because of the size of the settlement and the prominence of the institutions involved, data breaches at hospitals and doctors' offices are not rare.
The latest report from the Ponemon Institute, which studies privacy and security, found that 90% of surveyed healthcare institutions had at least one data breach within the past two years. Thirty-eight percent have had more than five such incidents, a slight decline from last year, when that number was 45%.
Since 2009, more than 31.3 million patients have been affected by healthcare breaches that involved 500 people or more, which HHS is required by law to make public.
Here's the full statement from NYP/CUMC:
NewYork-Presbyterian Hospital (NYP) and Columbia University Medical Center (CUMC) have reached a voluntary settlement with the U.S. Department of Health and Human Services (HHS) resolving an inquiry by HHS into an inadvertent disclosure of patient information that occurred in 2010.
The inquiry arose after NYP and CUMC reported to HHS the inadvertent leakage of certain patient data to Internet search engines when a computer server was errantly reconfigured. Affected individuals were notified personally, as were media outlets, in September 2010, and there was no indication at the time or subsequently that any information was accessed or used inappropriately.
NYP and CUMC have agreed to augment certain relevant policies and procedures, supplement their risk analysis and risk management efforts, and provide additional training for staff.
NYP and CUMC are committed to providing not only the highest levels of medical care to our patients but also handling their personal and medical data with the greatest respect and integrity. For more than three years, we have been cooperating with HHS, by voluntarily providing information about the incident in question, as well as undertaking substantial efforts concerning the protection of privacy and security of patient data. We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS.
This story was updated to remove comments that were retracted from a Government Health IT article.
More From Business Insider