Server Breach Makes ePHI Accessible on Google, Costs Covered Entities $4.8 Million

It would be pretty unsettling if your patient status, vital signs, medications, and laboratory results were available for the world to see on Google, wouldn’t it? According to recent settlement agreements announced by the Department of Health and Human Services (“HHS”) on May 7, 2014, that’s exactly what happened when New York and Presbyterian Hospital (“Presbyterian”) and Columbia University (“Columbia”) suffered a data breach, and the covered entities are paying the price. Presbyterian agreed to pay $3.3 million in its settlement and Columbia agreed to pay $1.5 million in its settlement. The settlement agreements resolve alleged violations of the Health Insurance Portability and Accountability Act (“HIPAA”) arising out of a breach of electronic protected health information (“ePHI”) that made the information of 6,800 individuals accessible via search engines, like Google.

The HHS Office for Civil Rights (“OCR”) began its investigation of Presbyterian and Columbia after receiving a joint notice of the breach back in 2010 and subsequently uncovered additional alleged violations of HIPAA. The entities filed a joint breach notice because, operating under an agreement whereby Columbia physicians acted as attending physicians at Presbyterian, they share a data network and a firewall. During its investigation, OCR discovered that the breach, caused by the deactivation of a server, was only the beginning of the entities’ compliance woes. OCR found that the entities’ servers lacked technical safeguards, which, had they been in place, would have prevented ePHI from being accessible from search engines. OCR also found that neither entity had made efforts to secure their servers before the breach, nor had they conducted a thorough enough risk analysis that would have enabled them to create an adequate risk management plan.

The magnitude of the settlements (HHS reported that the monetary payments of $4.8 million include the largest HIPAA settlement to date) shows the importance of technical safeguards and assessing vulnerability in preventing unauthorized access to PHI. The entities are learning this the hard way; in addition to the monetary settlements, Presbyterian and Columbia are also entering into a corrective action plan. As part of the plan, the entities will have to perform a risk analysis, develop a risk management plan, and provide ongoing reports to HHS, among other requirements. In announcing the settlement, Acting Deputy Director of Health Information Privacy for OCR Christina Heide said that the settlements “should remind health care organizations of the need to make data security central to how they manage their information systems.”

To read the HHS press release, click here.


DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Obermayer Rebmann Maxwell & Hippel LLP | Attorney Advertising

Written by:


Obermayer Rebmann Maxwell & Hippel LLP on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.