New York-Presbyterian Hospital and Columbia University Medical Center together on May 7 have agreed to hand over a whopping $4.8 million to settle alleged HIPAA violations after the electronic protected health information of 6,800 patients wound up on Google back in 2010.
Following an investigation by the Office for Civil Rights, the HHS division responsible for HIPAA enforcement, it was discovered that the HIPAA breach transpired when a CU physician, who developed applications for NYP and CU, attempted to deactivate a personally-owned computer server on the network containing ePHI. Due to lack of technical safeguards, server deactivation resulted in ePHI being accessible on the Internet.
The data was so widely accessible online that the entities learned of the breach after receiving a complaint by an individual who saw the ePHI of their deceased partner, a former NYP patient, online.
NYP will pay the lion’s share of the settlement at $3.3 million, while CU has agreed to pay $1.5 million.
Despite the more than $25.1 million in fines OCR has levied on healthcare entities that have demonstrated willful neglect over protecting patients’ health information, the cases involving disabled or nonexistent firewalls, unencrypted devices, emails sent with patient data to the wrong recipient, or accidentally posting PHI online are in no short supply.
Just last month, OCR levied nearly $2 million in fines against Concentra Health Services and Arkansas-based QCA Health Plan after two unencrypted laptops containing patient health information were stolen. Both entities also failed to implement proper risk analyses, according to OCR officials.
Not only do organizations face considerable federal and state penalties for violating privacy laws, there’s also all the associated costs that run up the bill.
These costs include extending free credit monitoring to patients, outsourcing hotline support, hiring an external investigation or forensic experts. Then, don’t forget the in-house investigations, legal costs and the hit to your reputation. All in all, these costs average to $2 million for each healthcare entity over a two-year period, according to a 2014 Ponemon Institute breach report.
It’s not all bad news, however. Some healthcare groups appear to be making modest improvements. The same Ponemon report highlighted a slight downtick in the number of breaches healthcare organizations reported in 2013, compared with 2012. In 2012, some 45 percent of healthcare organizations reported having a five or more data breaches. This past year, the number fell to 38 percent.