Two Health Care Organizations Pay Largest HIPAA Fine at $4.8 Million Resulting from Unsecured Shared Network


New York-Presbyterian Hospital and Columbia University entered into a settlement with the Department of Health and Human Services’ Office of Civil Rights (OCR) to resolve allegations that the organizations had violated the Health Insurance Portability and Accountability Act of 1996 (HIPAA) by failing to secure thousands of patients’ electronic protected health information (ePHI) housed on the hospital and university's shared network. At $4.8 million — $3.3 million to be paid by New York-Presbyterian, and $1.5 million to be paid by Columbia University — this represents the largest HIPAA settlement to date. A fine of this magnitude for a technical security standard violation underscores OCR’s commitment to impose harsh consequences to parties obligated to comply with HIPAA who fail to do so.

The alleged breach, which was reported jointly to the OCR by the organizations and occurred in September 2010, involved the unauthorized disclosure of the ePHI of 6,800 individuals, including their respective patient status, vital signs, medications, and lab results. The organizations reported the alleged breach promptly upon learning from an individual who had found a deceased partner’s ePHI from New York-Presbyterian Hospital on the Internet. The investigation revealed that the breach was caused by a physician employed by Columbia University who created applications for both organizations had deactivated a personally owned computer server on the hospitals’ shared network containing New- York Presbyterian patient information, which inadvertently resulted in patient information being accessible on Internet search engines.

Please see full alert below for more information.

LOADING PDF: If there are any problems, click here to download the file.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Brownstein Hyatt Farber Schreck | Attorney Advertising

Written by:


Brownstein Hyatt Farber Schreck on:

Readers' Choice 2017
Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:

Sign up to create your digest using LinkedIn*

*By using the service, you signify your acceptance of JD Supra's Privacy Policy.

Already signed up? Log in here

*With LinkedIn, you don't need to create a separate login to manage your free JD Supra account, and we can make suggestions based on your needs and interests. We will not post anything on LinkedIn in your name. Or, sign up using your email address.