After a data breach, the University of Rochester Medical Center (URMC) announced a settlement, New York Attorney General Eric T. Schneiderman, JD, announced recently. The settlement includes the following
- It requires the medical center to train its workforce on policies and procedures related to protected patient health information.
- It requires the hospital to notify the attorney general of future breaches.
- The hospital must pay a $15,000 penalty.
The settlement is in response to a data breach that occurred in the spring of 2015, when a nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology, without first obtaining authorization from the patients, Schneiderman explained in a statement released after the settlement. On April 21, 2015, Greater Rochester Neurology used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to that facility.
URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner subsequently was terminated, notification letters were sent to the affected patients, and the media was alerted. Greater Rochester Neurology has attested that all health information transmitted by URMC has been returned or deleted.
In 2009, state attorneys general were empowered under the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce HIPAA rules by permitting civil actions against violators.
A copy of the settlement can be read here: http://tinyurl.com/h4qxq3p.
