An investigation into the breach took place after New York and Presbyterian Hospital (NYP) and Columbia University (CU) submitted a joint breach report dated September 27, 2010. The report said that 6,800 individuals had their electronic protected health information (ePHI) compromised, including patient status, vital signs, medications, and laboratory results.
The health organizations are separate entities, however they participate in a joint arrangement in which CU faculty members serve as attending physicians at NYP. They both operate a shared data network and a shared network firewall administered by employees of both organization. The network links to NYP patient information systems containing ePHI.
Image Source: Flickr (Jean-Etienne Minh-Duy Poirrier)
Where things went wrong was when an a physician at CU tried to deactivate a personally-owned computer server on the network containing NYP patient ePHI. Due to a lack of technical safeguards, deactivating the server caused the ePHI to be accessible on Internet search engines. This was learned after an individual who discovered the ePHI of a deceased partner and former NYP patient complained.
"When entities participate in joint compliance arrangements, they share the burden of addressing the risks to protected health information," said Christina Heide, Acting Deputy Director of Health Information Privacy for OCR. "Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems."
NYP has forked over $3.3 million to the Office for Civil Rights (OCR while CU added another $1.5 million. The combined settlement is the largest ever involving HIPPA.