IT malpractice: Doc operates on server, costs hospitals $4.8M
New York Presbyterian and Columbia University Medical Center settle with HHS to end probe into 2010 patient data leak
Computerworld - An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS).
The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday. New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint.
The hospitals also agreed to take "substantive" corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. The HHS will also be provided with periodic progress updates under the agreement.
"Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems," the statement said.
The $3.3 million settlement with New York Presbyterian is the largest ever obtained by the HHS for a violation of HIPAA security rules.
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.
The two health care organizations have a mutual agreement under which CU faculty members serve as physicians at NYP. The two entities operate a shared network that links to systems contacting patient health data at NYP.
It is not clear why a physician had a personally owned system connected to the network, or why he was attempting to "deactivate" it.
In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
The leak was discovered after the hospitals received a complaint from an individual who discovered personal health information about his or her deceased partner on the Web.
An investigation by the HHS Office for Civil Rights (OCR) found that neither CU nor NYP had implemented adequate security protections, or undertook a risk analysis or audit to identify the location of sensitive patient health information on the joint network.
The OCR also faulted New York Presbyterian not ensuring that only properly authorized systems could access patient data.
In an email, NYP and CU said they have taken substantial steps to strengthen data security controls following the breach.
"For more than three years, we have been cooperating with HHS by voluntarily providing information about the incident in question," the statement said. "We also have continually strengthened our safeguards to enhance our information systems and processes, and will continue to do so under the terms of the agreement with HHS."
HHS has also extracted settlements from several other healthcare entities over the past two years as it beefs up the effort to crack down on HIPAA violations.
In April, it reached a $2 million settlement with with Concentra Health Services and QCA Health Plan. Both organizations reported losing laptops containing unencrypted patient data.
Last December, a Massachusetts dermatology clinic agreed to pay $150,000 to settle an HHS investigation into the loss of a thumb drive containing unencrypted patient health information.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed . His e-mail address is firstname.lastname@example.org.
- Hackers steal user data from the European Central Bank website, demand money
- Arrests made after international cyber-ring targets StubHub
- SQL injection flaw opens door for Wall Street Journal database hack
- Goodwill Industries probes possible payment card breach
- Aloha point-of-sale terminal, sold on eBay, yields security surprises
- The biggest data breaches of 2014 (so far)
- Blue Shield discloses 18,000 doctors' Social Security numbers
- PF Chang's says breach was 'highly sophisticated criminal operation'
- Breaches exposed 1 in 7 US debit cards in 2013
- New malware program targets banking data
Read more about Malware and Vulnerabilities in Computerworld's Malware and Vulnerabilities Topic Center.
- Fight Malware, Malfeasance and Malingering Every year brings more extreme sets of threats than the last. The good news is that there are a range of mitigation options....
- Comprehensive Advanced Threat Defense The hot topic in the information security industry these days is "Advanced Threat Defense" (ATD). This paper describes a comprehensive, network-based approach to...
- Advanced Threat Defense: A Comprehensive Approach In this interview, Peter George, president, General Dynamics Fidelis Cybersecurity Solutions, explains why we need more than anti-malware, and what constitutes a comprehensive...
- Who's Spying on You? You're aware of the threats of malware to your business but what about the ever-changing ground rules? Cybercriminals today are launching attacks against...
- NSS Labs & Cisco Present: Evaluating Leading Breach Detection Systems Today's constantly evolving advanced malware and APTs can evade point-in-time defenses to penetrate networks. Security professionals must evolve their strategy in lockstep to...
- Will the Real Endpoint Threat Detection and Response Please Stand Up? This webinar explores new technologies & process for protecting endpoints from advanced attackers as well as the innovations that are pushing the envelope... All Malware and Vulnerabilities White Papers | Webcasts