Disclosure of patient data seems to be a common occurrence, and we see reports of this in the news on a regular basis (somebody lost an unencrypted laptop, an iPad with patient data was stolen and so on). But every once in a while there is a disclosure incident that stands out, and should grab our attention for more than a minute or two.
Columbia Medical Center in New York was ordered to pay out $4.8 million for disclosures of Protected Health Information that resulted in patient data being made available via the internet (this included labs, meds, vitals and more). Apparently, a server with access to ePHI was errantly, and improperly, reconfigured, allowing Google and other search engines to index the data.
How frightening! Not a single piece of equipment left the premises, but thousands of records were made available to the public in the most horrible way possible. Imagine searching for that family member, expecting to see their most recent 5K race results only to discover a diagnosis that hadn’t been shared with the family yet!
The penalties for this disclosure were stiff, and are intended to send a wake-up call to the Healthcare IT community. Get your house in order! (these are the words, verbatim, from the Office of Civil Rights senior privacy specialist when interviewed about the incident by Healthcare IT News). Know where your PHI resides, and do everything in your power to protect it!