A New York City-based hospital and university have agreed to pay $4.8 million to settle charges of a HIPAA violation involving 6,800 patients’ electronic medical records. The fines represent the largest HIPAA settlement to date.
The breach was uncovered after the hospital received a complaint by an individual who found protected health information of his deceased partner on the Internet.
The hospital and university, which operate under a joint arrangement, reported the data breach to the Department of Health and Human Services in September 2010. They admitted that patients’ PHI, including status, vital signs, medications, and laboratory results, stored on their shared network were exposed on the Internet. According to an investigation, the breach occurred when a physician who also developed applications for both organizations tried to deactivate his personally-owned computer server on the hospital’s network.
The investigation by HHS discovered that neither the university nor the hospital had protections to make sure that the server was secure. HHS also determined that policies and procedures were not in place, and the hospital had not conducted a risk assessment to identify systems that accessed its electronic protected health information.
Benefit Allocation Systems, Inc. has implemented robust policies and procedures to make sure that its servers and the MyEnroll.com database are secure. BAS maintains the state-of-the-art Tripwire security configuration management system to continuously monitor BAS infrastructure and control all access to the BAS network.
BAS routinely reviews its security policies and procedures to make sure it is following established processes and maintaining best-practices with respect to security management.
