HIPAA Horror Stories

Joint Agreement Leads to Patient Data Breach

one-minute read

New York hospitals learn that, when you join forces, you also join weaknesses

After creating a joint operating agreement to improve efficiency, two large New York medical centers settled with the federal government after accidentally disclosing health information of thousands of patients.

New York City’s New York and Presbyterian Hospital (NYP) and Columbia University (CU) found themselves at the losing end of a federal investigation into the mishandling of Electronic Protected Health Information (ePHI) in violation of Health Insurance Portability and Accountability Act (HIPAA) rules.

Patient Data Breach makes vital signs and medications searchable online

The breach, reported in a 2010 joint breach disclosure by the hospitals, affected 6,800 records, making patient status, vital signs, medications, and laboratory results available on any search engine.

The joint agreement allowed CU Medical School faculty to serve as attending physicians at NYP.

The shared network links to NYP patient information systems containing ePHI.

Patient Data Breach caused by missing data management plan

Problems arose when a CU faculty member linked a personal computer to the NYP patient information database. The connection was not secure, allowing patient records to become searchable on the internet.

The partner of a patient discovered his deceased partner’s private medical records on the internet and alerted the hospitals, leading to a breach notification and Office for Civil Right investigation.

Neither Hospital Took Steps to Protect Patient Data

The investigation determined neither hospital had taken steps to prevent a breach when the CU physician’s personal computer was disconnected from the system. What’s more, investigators also noted that neither hospital had conducted a risk management plan.

NYP was forced to pay $3.3 million. CU paid $1.5 million to settle the case. Both hospitals agreed to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.

Is your data safe from a $4.8 million penalty?

Are you and your partners doing everything possible to protect electronic protected health information? Are your data centers secure? If the answer to either question is “I don’t know,” we can help.

The HIPAA E-Tool® makes compliance fast and easy. Get your free HIPAA Quick Start kit, complete with a webcam privacy guard, HIPAA Hot Zone labels and a HIPAA checklist delivered directly to your office.

Don’t become a HIPAA Horror Story! HIPAA compliance is easy, when you know the rules.

Request A Demo

Copyright © 2020 ET&C Group LLC.

The HIPAA E-Tool® and Protecting Patient Privacy is Our Job®
are registered trademarks of ET&C Group LLC

3534 Washington Avenue, Saint Louis, MO 63103
Terms of Service | Privacy Policy

Powered by JEMSU

You may have questions about COVID-19 and HIPAA. We have answers. 

We are open and answering questions about all the new modifications and waivers, coming from HHS, OCR, CMS, and the new CARES act.

If you need help with HIPAA during the COVID-19 pandemic, fill in the form, and we’ll get back to you.

Free hipaa kit!

hipaa compliance Quick start kit
Delivered free