The Department of Health and Human Services’ Office for Civil Rights yesterday announced a $4.8 million settlement with New York-Presbyterian Hospital and Columbia University over violations of the Health Insurance Portability and Accountability Act’s privacy and security rules. CU faculty members serve as attending physicians at the hospital through an affiliation arrangement. The organizations operate a shared data network that links to patient information systems, and submitted a joint breach report to the agency in 2010 regarding the disclosure of electronic protected health information for 6,800 individuals. According to OCR, the breach was caused when a CU physician who developed applications for the hospital and CU attempted to deactivate a personally-owned computer server on the network, which resulted in electronic protected health information being accessible on internet search engines. As part of the settlement, both organizations agreed to a corrective action plan that includes developing a risk management plan, revising policies and procedures, and training staff.