New York hospitals learn that, when you join forces, you also join weaknesses
After creating a joint operating agreement to improve efficiency, two large New York medical centers settled with the federal government after accidentally disclosing health information of thousands of patients.
New York City’s New York and Presbyterian Hospital (NYP) and Columbia University (CU) found themselves at the losing end of a federal investigation into the mishandling of Electronic Protected Health Information (ePHI) in violation of Health Insurance Portability and Accountability Act (HIPAA) rules.
Patient Data Breach makes vital signs and medications searchable online
The breach, reported in a 2010 joint breach disclosure by the hospitals, affected 6,800 records, making patient status, vital signs, medications, and laboratory results available on any search engine.
The joint agreement allowed CU Medical School faculty to serve as attending physicians at NYP.
The shared network links to NYP patient information systems containing ePHI.
Patient Data Breach caused by missing data management plan
Problems arose when a CU faculty member linked a personal computer to the NYP patient information database. The connection was not secure, allowing patient records to become searchable on the internet.
The partner of a patient discovered his deceased partner’s private medical records on the internet and alerted the hospitals, leading to a breach notification and Office for Civil Right investigation.
Neither Hospital Took Steps to Protect Patient Data
The investigation determined neither hospital had taken steps to prevent a breach when the CU physician’s personal computer was disconnected from the system. What’s more, investigators also noted that neither hospital had conducted a risk management plan.
NYP was forced to pay $3.3 million. CU paid $1.5 million to settle the case. Both hospitals agreed to a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports.
Is your data safe from a $4.8 million penalty?
Are you and your partners doing everything possible to protect electronic protected health information? Are your data centers secure? If the answer to either question is “I don’t know,” we can help.