HIPAA Settlements: The Largest One Could Have Been Prevented

The Health Insurance Portability and Accountability Act (HIPAA) has been around since 1996; that’s 18 years. Cyber criminals and data breaches continue to flourish, with headline cases breaking every couple of months. Yet too many organizations still fail at implementing the necessary level of network security and policy oversight to ensure that sensitive data is protected to the required levels.

As witness, the US Department of Health and Human Services (HHS) Office for Civil Rights (OCR) announced on May 7 that it had secured a $4.8 million combined settlement with New York Presbyterian Hospital (NYP) and Columbia University (CU). This settlement is based on an investigation of a data breach, that was reported in September 2010 and represents the largest HIPAA settlement to date.

And the kicker? The breach was preventable. Had either organization had proper safeguards in place, they would have detected the problem before allowing protected patient information—including lab results, vital signs, and medications—to be available to Internet search engines.

What Happened in the Breach

The data breach involved inadvertent disclosure of information on about 6,800 patients. That number seems small in comparison to the millions of customers affected by recent hacks such as the Target data breach. Of course financial information loss is a huge problem, but disclosure of personal health information in some cases could be even more devastating.

Because CU faculty also serves as physicians at NYP, the two organization operate a joint network, including joint security and IT staff from both sides. That sort of arrangement in itself could add complications to any network security efforts, yet it’s also likely not an uncommon situation when you consider how many other universities and medical institutions have similar arrangements. It does, however, highlight the need for each organization to take ownership of its security responsibilities with appropriate policies and systems in place to ensure adherence to those policies.

According to HHS, “NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.” The breach occurred when a CU doctor, who was also an application developer and therefore had his own server on the network, attempted to deactivate that server, and in the process, left a hole in the network. Without all the details, it’s perhaps debatable whether this doctor should have had admin rights on the network; but regardless, what is clear according to the investigation findings is that NYP had policies in place that might have prevented or reduced the impact of the breach, but those polices were not enforced.

How many other IT organizations would suffer the same fate? Think about your own network infrastructure. It’s not enough to establish security policies—although doing so is a must. You have to have oversight that your policies are being followed. You have to have appropriate access controls. These are all things you can get with a simple automated auditing software such as Netwrix Auditor, which provides feedback on whether your policies are effective and will report when a violation occurs.

The Cost of the Breach

When you consider the cost of this data breach to the organizations, it’s really much more than the amount they’ll pay. The healthcare organization, NYP, paid the largest chunk of the settlement at $3.3 million, while CU picks up the other $1.5 million. In addition, both organizations agreed to “a substantive corrective action plan, which includes undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff, and providing progress reports,” all of which, naturally, have costs associated with them.

Note that this was a settlement; the case didn’t go to trial. If it had, the costs in legal fees and penalties could have been much higher. I suspect there were still legal costs to the organizations, as their legal teams would like to have overseen the ongoing investigation process—and remember, the investigation took about three and half years. That’s also time that probably required cooperation from the IT staffs of both organizations.

Although these institutions have settled with the government, I suspect they could still be vulnerable to civil suits from individual patients whose information was disclosed, so their monetary liability as a result of this breach could still be an open matter. In any case, they may have to work to regain patient/customer trust.

The question to ask is whether the effort and cost these organizations—or any like them—now face is more or less than the effort and cost of implementing proper controls to prevent a breach in the first place?

Be Prepared

I’ve heard this too many times, from vendors, IT pros, and analysts: Organizations that have suffered a data breach or security incident (and paid the associated costs) are the ones who now have appropriate security measures in place to prevent such incidents in the future; those organizations that haven’t had a problem generally don’t have the right measures in place or aren’t verifying that their policies are effectively followed.

It’s better to be prepared than suffer the consequences. Netwrix Auditor can certainly assist in your IT environment security strategy and help you secure your sensitive data. Get the appropriate protection and oversight on your systems before a data breaches can lead you into legal and financial troubles.