No private information should ever be leaked to the public, but when it comes to data that should never be seen by unwanted third parties, patient records top the list. So it is understandable that in 2010, an individual was prompted to take action after finding a dead partner’s private medical data available for public viewing online, according to iHealthBeat.
This shocking find prompted immediate action, and the files in question were traced to their originating point: New York-Presbyterian Hospital and Columbia University Medical Center. But how had those extremely privileged files found their way out of the hospital’s internal system and onto the Web?
In this day and age, the answer should surprise nobody: A data breach.
Blame — and Recovery Costs — Will Always Fall on Breached Enterprises, Not Attackers
But for authorities looking into the breach, the investigative focus had little to do with details about the attacker and everything to do with the deficiencies in enterprise security that led the hospitals to such a detrimental information leakage.
As it turned out, the discovery of the single dead partner’s records pointed to a much larger problem, one in which 6,800 patient records had been breached and exposed, according to GovernmentHealthIT.
Computerworld reported that unlike many breaches, which are carried out by malicious third parties, this one came from within and was inadvertent. The compromised information resulted from a physician attempting to disconnect his personal computing device from the hospital’s network.
Why his device was plugged into the network in the first place — a hospital, after all, does not seem like the most BYOD-friendly enterprise — remains unclear. But in attempting to remove his computer from the system, the doctor triggered a latent hospital server vulnerability that led to the broad exposure of private data.
Regardless of the doctor’s lapses in judgment, the ultimate blame falls on the enterprise at large, and they’re the ones paying the price.
As Computerworld pointed out, the U.S. Department of Health and Human Services has leveraged a $4.8 million fine stemming from the incident, to be paid jointly by New York-Presbyterian ($3.3 million) and Columbia ($1.5 million). This fine represents the largest in the history of HIPAA violations.
“Our cases against NYP and CU should remind health care organizations of the need to make data security central to how they manage their information systems,” a statement from the HHS read.
Rachel Seeger, a senior health administration privacy outreach specialist with the Office for Civil Rights — the group that carried out the investigation into the breach — added that such a violation caused by an organization “who you expect to be the leader” is cause for drastic enterprise security reform.
“The message here is get your house in order,” she said. “The gloves are off.”
Enterprises that do not take the proper means to guard their infrastructure can expect these kinds of public admonishments to long outlast the data leakage itself. The great difficulty inherent in recovering from any breach should be all the motivation organizations need to firm up security.