The largest HIPAA breach settlement this year cost a hospital and university $4.8 million in government-mandated fees, according to a press release from the U.S. Dept. of Health & Human Services (HHS).
The New York and Presbyterian Hospital (NYP) and Columbia University Medical Center (CUMC) were involved in a data breach in 2010 that exposed the electronic protected health information (ePHI) of almost 7k patients publicly online.
Both NYP and CUMC share a data network and network firewall that is managed by employees that work for both, while the shared network links to NYP information systems that contain ePHI, according to The Wall Street Journal.
Featured Download: Social media access at work. Do your employees know the rules?
Patient data was inadvertently indexed in Google search results when a Columbia University Medical Center doctor (and application developer, apparently) attempted to deactivate his personal computer server that was inexplicably connected to a shared network. The HHS claims that exposure was due to a lack of technical safeguards implemented by the hospital and university.
While personal devices are commonly known to connect to company networks, it’s not as common for a personally-owned server to be connected to networks, especially ones with patient data on them.
They weren’t notified by a security researcher, but rather by a random person who found their deceased partner’s personal health data via a Google search. The data indexed included patient status, vital signs, medications, and laboratory results.
A breach like this is interesting as it’s not the number of affected individuals that prompted the settlement (7k is conservative compared to 4.9 million – the largest breach reported to HHS), but rather the extent of the breach itself and security negligence involved.
For a number of lessons learned from this incident, please view the original article here.
By Thu Pham, Information Security Journalist, Duo Security | @Thu_Duo
Thu Pham covers current events in the tech industry with a focus on information security. Prior to joining Duo, Thu covered security and compliance for the infrastructure as a service (IaaS) industry at Online Tech. Based in Ann Arbor, Michigan, she earned her BS in Journalism from Central Michigan University.
About Duo Security
Duo Security is on a mission to provide advanced security solutions for organizations of all sizes. Duo’s innovative technology protects users, data and applications from credential theft and breaches with a focus on streamlined usability. The company was co-founded by CEO Dug Song, a major contributor to the security community, and CTO Jon Oberheide, expert cloud, mobile, and malware security researcher.