Doctor’s Attempt to Deactivate Computer Led to a HIPAA Fine of $4.8 Million


A HIPAA violation occurred because of an “inadvertent data leak that stemmed from a physician’s attempt to reconfigure a server cost New York Presbyterian (NYP) Hospital and Columbia University (CU) Medical Center $4.8 million” as reported by Computerworld. According to the US Department of Health and Human Services (HHS) who fined NYP $3.3 million and CU $1.5 million for for a HIPAA (Health Insurance Portability and Accountability Act of 1996) impermissible disclosure of ePHI (electronic Protected Health Information):

The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to “deactivate” a personally owned computer from a New York Presbyterian network segment that contained sensitive patient health information…

The $3.3 million settlement with NYP is the largest ever obtained by the HHS for a violation of HIPAA security rules.

Apparently NYP and CU share a computer network, but Computerworld reported that “it is not clear why a physician had a personally owned system connected to the network, or why he was attempting to “deactivate” it.”

Computerworld also reported that NYP and CU issued a joint statement that:

…the two hospitals blamed the leakage on an “errantly configured” computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.

HHS reported about the investigation by the Office of Civil Rights (OCR):

In addition to the impermissible disclosure of ePHI on the internet, OCR’s investigation found that neither NYP nor CU made efforts prior to the breach to assure that the server was secure and that it contained appropriate software protections.

Moreover, OCR determined that neither entity had conducted an accurate and thorough risk analysis that identified all systems that access NYP ePHI.

As a result, neither entity had developed an adequate risk management plan that addressed the potential threats and hazards to the security of ePHI.

Lastly, NYP failed to implement appropriate policies and procedures for authorizing access to its databases and failed to comply with its own policies on information access management.

Obviously we will continue to see more HIPAA violation headlines, but who would have imaged that a physician would have caused at $4.8 million HIPAA violation nor that hospitals would make no effort to assure secure ePHI servers.

The publications contained in this site do not constitute legal advice. Legal advice can only be given with knowledge of the client's specific facts. By putting these publications on our website we do not intend to create a lawyer-client relationship with the user. Materials may not reflect the most current legal developments, verdicts or settlements. This information should in no way be taken as an indication of future results.

Search Tips:

You may use the wildcard symbol (*) as a root expander.  A search for "anti*" will find not only "anti", but also "anti-trust", "antique", etc.

Entering two terms together in a search field will behave as though an "OR" is being used.  For example, entering "Antique Motorcars" as a Client Name search will find results with either word in the Client Name.


AND and OR may be used in a search.  Note: they must be capitalized, e.g., "Project AND Finance." 

The + and - sign operators may be used.  The + sign indicates that the term immediately following is required, while the - sign indicates to omit results that contain that term. E.g., "+real -estate" says results must have "real" but not "estate".

To perform an exact phrase search, surround your search phrase with quotation marks.  For example, "Project Finance".

Searches are not case sensitive.

back to top