An inadvertent data leak that stemmed from a physician's attempt to reconfigure a server cost New York Presbyterian Hospital and Columbia University Medical Center $4.8 million to settle with the U.S. Department of Health and Human Services (HHS). The hospitals and HHS announced the voluntary settlement, which ends an inquiry into the incident, on Wednesday.
From the article:
The breach occurred in 2010 after a physician at Columbia University Medical Center attempted to "deactivate" a personally owned computer from an New York Presbyterian network segment that contained sensitive patient health information, according to the HHS.
In a joint statement, the two hospitals blamed the leakage on an "errantly configured" computer server. The error left patient status, vital signs, laboratory results, medication information, and other sensitive data on about 6,800 individuals accessible to all via the Web.
New York Presbyterian will pay $3.3 million, while Columbia will pay $1.5 million to settle the complaint. The hospitals also agreed to take "substantive" corrective action, including development of a new risk management plan and new policies and procedures for handling patient data. HHS will also be provided with periodic progress updates under the agreement.
(Score: 4, Interesting) by velex on Friday May 09 2014, @04:21PM
Have you ever tried telling a doctor "no" before?
There are some good doctors who are reasonable people, but the impression I get is that there must be a popular elective in med school about doing improv impersonations of Gunnery Sergeant Hartman.
Oh well, at least it's only nurses who are actually assaulted by doctors on the job, not IT folks.
This is why we can't have Nice Things.
(Score: 2, Informative) by Anonymous Coward on Friday May 09 2014, @04:27PM
Having supported hospital IT in the past; I can tell you that IT has to cave to the doctor's whims in many cases. The will threaten to leave and take their patients with them if they don't get hardware/software "X" installed.
I still contend that all new doctors should be kicked in the groin when they get their diploma to remind them they are still human.
(Score: 2, Informative) by SecurityGuy on Friday May 09 2014, @08:13PM
Having worked in healthcare before, I agree and would even add that they didn't even have to threaten. The IT guys usually don't work for the doctor in question in cases like this, but sometimes they share a common management chain.
You know who is generally in the management chain of hospitals? Doctors.
When a doctor and an IT guy go before the head of the department because one wants to do something risky (in the IT sense) in order to accomplish some kind of patient care or research, you know who wins? Usually the doctors.
I was pretty happy to see HIPAA passed just for that reason. Really big fines were the only thing that was going to change that culture.