About the Largest HIPAA Security Breach Settlement
On May 7th, the US Department of Health and Human Services (HHS) announced that two medical facilities working jointly agreed to pay a $4.8 million settlement, the largest ever paid, stemming from a security breach five years ago.
New York-Presbyterian Hospital and Columbia University self-reported the unintentional disclosure of 6,800 patients electronic Protected Health Information (PHI) in September 2010. The providers became aware of the situation when an individual reported that they found PHI of a deceased loved one on the internet; the information was accessible via Google search.
As with most catastrophic blunders, this one came by a series of several smaller, preventable mistakes. Below are the preventable HIPAA compliance security errors/oversights listed by HHS that led to the breach:
- “lack of technical safeguards”
- “neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections”
- “neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI”
- neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI””
- “NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management”
This is yet another example that even high-profile, teaching facilities are often not secure or efficient at managing the challenges of electronic PHI.
How are institutions with less funding maintaining HIPAA compliance in the digital age when even the prestigious institutions are struggling? Companies need to find alternative means to provide these capabilities.
Many businesses have tools in place to provide some level of security for their environments, but how do you know they’re working? More importantly, how do you know if they are not? Are they the right tools to protect everything you have?
How Sedara Can Help You with HIPAA
Sedara’s managed security solutions are meant to provide these security safeguards, with flexibility, operational efficiency, and a team to back it up.
Subscribe to Sedara Declassified to get timely updates on new and evolving threats – and what to do about them – just like our clients do.