On May 7th, the Department of Health and Human Services’ Office for Civil Rights rocked the health-care world by handing down $4.8 million in fines to New York and Presbyterian Hospital (NYP) and Columbia University (CU) due to a breach of HIPAA regulations dating back to 2010. This represents the largest HIPAA-related settlement to date — and it resulted from the improper disclosure of electronic protected health information (ePHI) for just 6,800 individuals. That’s nearly $706 per exposed record!
How did the breach happen? Through preventable human error, which still represents the biggest threat to health care practice security. A physician and application developer employed by Columbia tried to deactivate a personal computer server on the network containing NYP patient ePHI, allowing the protected information to become accessible on public search engines.
The breach was actually revealed when a deceased patient’s partner stumbled upon the former patient’s ePHI online.