New York-Presbyterian, Columbia to pay largest HIPAA settlement: $4.8 million


New York-Presbyterian Hospital and Columbia University have reached settlement agreements totaling $4.8 million with the Office for Civil Rights at HHS following the exposure to the Internet more than three years ago of 6,800 patients’ records, including the patients’ vital signs and lab test results.

The hospital, whose data system was breached, caught the lion’s share of the settlement amount, $3.3 million, with the university agreeing to an additional $1.5 million. Each also agreed to prepare a “substantive corrective action plan” that includes “undertaking a risk analysis, developing a risk management plan, revising policies and procedures, training staff and providing progress reports,” according to an HHS statement that pronounces the combined payment to be “the largest HIPAA settlement to date.”

Thus far, there have been 985 reports of breaches large enough to involve 500 or more persons’ medical records reported to the Office for Civil Rights and posted on its “wall of shame” website as required by the federal breach notification requirements of the American Recovery and Reinvestment Act of 2009. Those posted breaches account for the exposure of 31.3 million records.