New York Presbyterian Hospital and Columbia University will pay DHS a combined $4.8 million to settle violations of medical privacy laws. The amount of the settlement makes it the largest such payment in history. The problem arose in 2010, when the health records of 6,800 patients ended up online and fully Google-able. It was discovered when an individual found identifiable health records of their deceased partner, a former patient of NYP, on the internet.” Yikes!
The data breach included patients’ “status, vital signs, medications, and laboratory results,” information that is closely guarded by privacy provisions of the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Both institutions have cooperated since notifying HHS of the breach. Apparently the breach occurred when a computer server was errantly reconfigured.
Here’s how the information became public. The breach was caused when a physician employed by CU who developed applications for both NYP and CU attempted to deactivate a personally-owned computer server on the network containing NYP patient information. Because of a lack of technical safeguards, deactivation of the server resulted in patient information being accessible on internet search engines.