HIPAA Affects Hospital & University Alike; Results in $4.8 Million Settlement
The largest HIPAA breach settlement this year cost a hospital and university $4.8 million in government-mandated fees, according to a press release from the U.S. Dept. of Health & Human Services (HHS).
The New York and Presbyterian Hospital (NYP) and Columbia University Medical Center (CUMC) were involved in a data breach in 2010 that exposed the electronic protected health information (ePHI) of almost 7k patients publicly online.
Both NYP and CUMC share a data network and network firewall that is managed by employees that work for both, while the shared network links to NYP information systems that contain ePHI, according to The Wall Street Journal.
Patient data was inadvertently indexed in Google search results when a Columbia University Medical Center doctor (and application developer, apparently) attempted to deactivate his personal computer server that was inexplicably connected to a shared network. The HHS claims that exposure was due to a lack of technical safeguards implemented by the hospital and university.
While personal devices are commonly known to connect to company networks, it’s not as common for a personally-owned server to be connected to networks, especially ones with patient data on them.
They weren’t notified by a security researcher, but rather by a random person who found their deceased partner’s personal health data via a Google search. The data indexed included patient status, vital signs, medications, and laboratory results.
A breach like this is interesting as it’s not the number of affected individuals that prompted the settlement (7k is conservative compared to 4.9 million - the largest breach reported to HHS), but rather the extent of the breach itself and security negligence involved.
Lessons Learned
A few lessons to be learned can be found in the settlement’s claims against the hospital, which others can ensure they do to prevent a similar data breach:
- Conduct an accurate and thorough risk analysis
- Inventory all IT equipment, applications and data systems that contain or process ePHI
- Implement processes to monitor all parts your IT infrastructure that are linked to databases with ePHI
- Implement security measures to reduce risks and vulnerabilities to ePHI
- Implement appropriate policies and procedures for authorizing access to patient databases
- Establish and comply with your own policies on information access management
Other major healthcare breach settlements include Concentra Health Services that paid $1.725 million after unencrypted laptops were stolen containing ePHI. WellPoint also paid HHS $1.7 million after they failed to put technical safeguards in place to secure their online application database, allowing access to the ePHI of over 600k individuals within their database.
Protecting web-based applications under HIPAA safeguards should include technical solutions such as two-factor authentication to protect users that log into systems containing sensitive health data.
Find out more about health IT security in:
Securing E-Prescription Applications & Identity-Proofing
Lax Healthcare Vendor Security Leads to Data Breaches & Tax Fraud
Two-Factor Authentication for Electronic Health Record (EHR) Apps
Streamlining Two-Factor Authentication for Health IT