A data breach can slug below the belt and knock a healthcare business flat on its back, as was the case with Columbia University and the New York and Presbyterian Hospital.
They paid a $4.8 million settlement (the biggest HIPAA settlement to date) after the electronic records of 6,800 patients (including vital stats, medications and even lab results) were accidentally leaked into cyberspace.
The leak was caused when a Columbia University doctor (who developed applications for CU as well as NYP) attempted to deactivate a computer server that was personally owned; the server was on the network that contained patient data.
The server lacked technical safeguards, and there’s evidence that neither organization had made any efforts, prior to the data breach, to ensure that the server was properly protected.
In fact, not even any risk analyses had been conducted; there was no risk management plan of substance, and there was a failure on both parties to put in place the policies and procedures for allowing access to databases, among other issues that were failed.
The leak was unveiled when someone discovered and then complained of details of a deceased partner (a former NYP patient) online.
Neither NYP nor CU had taken measures to ensure server integrity.
“When entities participate in joint compliance arrangements,” says Christina Heide, “they share the burden of addressing the risks to protected health information.” Heide is Acting Deputy Director of Health Information Privacy for OCR. She goes on to point out that this disaster should be a wakeup call to healthcare organizations that protection of patient data should be paramount.
Part of the judgment is that both organizations will have to overhaul security measures, a major corrective action undertaking that includes developing a risk management plan and providing progress reports.
Find more information about this breach here:
Robert Siciliano is an Identity Theft Expert to AllClearID. He is the author of 99 Things You Wish You Knew Before Your Identity Was Stolen See him knock’em dead in this identity theft prevention video. Disclosures.
ROBERT SICILIANO, CEO of IDTheftSecurity.com is fiercely committed to informing, educating, and empowering Americans so they can be protected from violence and crime in the physical and virtual worlds. His "tell it like it is" style is sought after by major media outlets, executives in the C-Suite of leading corporations, meeting planners, and community leaders to get the straight talk they need to stay safe in a world in which physical and virtual crime is commonplace. Siciliano is accessible, real, professional, and ready to weigh in and comment at a moment's notice on breaking news.
- Boosting Healthcare Security with Smart Cards
The Smart Card Alliance has put together a list of frequently asked questions about how smart cards work in a healthcare environment, and provided excellent answers. A smart card resembles a typical credit card, but is embedded with a small microprocessor chip, which makes it “smart.” That chip is a powerful minicomputer that can be
- Healthcare Records vulnerable to Criminals
Just about every kind of healthcare related entity—hospitals, rehab centers, pharma companies, insurance carriers and more—have been and continue to be compromised by cyber criminals. Though your doctor can boost your resistance to heart attack, the hospital he works at remains prone to hack attacks by crooks wanting access to all sorts of data and other
- Healthcare Providers Gaining Trust by Marketing Security
You’ve surely heard of “B2B” or business-to-business marketing. The new game plan is “B2C” – business to consumer marketing, particularly in the healthcare industry. The Affordable Care Act allows healthcare organizations to directly deal with consumers on a massive scale for the first time. However, this comes with some challenges, namely, how to effectively reach
- The Upside of Electronic Health Records – Will This Be Possible?
In a world where a Twitter tweet can be heard around the world instantly, a friend’s video on YouTube can go viral overnight, and you can speak to anyone online across the globe without using a phone, it seems backwards that the local hospital may still be keeping your medical information in a filing cabinet.
- HHS provides Healthcare Providers Risk Assessment Tools
The Health Insurance Portability and Accountability Act (HIPAA) Security Rule requires that covered entities conduct a risk assessment of their healthcare organization. A risk assessment helps your organization ensure it is compliant with HIPAA’s administrative, physical, and technical safeguards. A risk assessment also helps reveal areas where your organization’s protected health information (PHI) could be at risk. Watch the Security Risk