Data Breach Results in Largest HIPAA Settlement to Date
May 14, 2014 | Risk Management News
Two New York healthcare organizations have agreed to pay $4.8 million to settle charges that they potentially violated the Health Insurance Portability and Accountability Act (HIPAA) of 1996 privacy and security rules when they failed to secure thousands of patients' electronic protected health information (ePHI) held on their shared network, states a May 7, 2014, U.S. Department of Health and Human Services (HHS) press release. Following the organizations' submission of a joint breach report, HHS's Office for Civil Rights (OCR) conducted an investigation that determined that the breach was caused when a physician employee attempted to deactivate a personally owned computer server on the network. Because of a lack of technical safeguards, deactivation of the server resulted in the ePHI of 6,800 individuals, including patient status, vital signs, medications, and laboratory results, to be accessible on Internet search engines.