A.G. Schneiderman Announces Settlement With University Of Rochester To Prevent Future Patient Privacy Breaches

Settlement Occurred As A Result Of Employee’s Sharing Of Patient Information Without Patient Authorization; Focuses On Prevention Of Future Patient Privacy Breaches

Schneiderman: My Office Will Work To Protect Patients’ Private Health Information

NEW YORK – Attorney General Eric T. Schneiderman today announced a settlement under the Health Insurance Portability and Accountability Act (“HIPAA”). The settlement, reached with University of Rochester Medical Center (“URMC”), requires the medical center to train its workforce on policies and procedures related to protected patient health information, notify the Attorney General of future breaches, and pay a $15,000 penalty.

“This settlement strengthens protections for patients at URMC, and it puts other health care entities on notice that my office will enforce HIPAA data breach provisions,” said Attorney General Schneiderman. “My office is committed to protecting patients’ private health information. Other medical centers, hospitals, health care providers, and health care entities should view this settlement as a warning, and take the time now to review and amend, as needed, their own policies and procedures to better protect private patient information.”

The settlement is in response to a data breach that occurred in the spring of 2015, when a URMC nurse practitioner gave a list containing 3,403 patient names, addresses, and diagnoses to her future employer, Greater Rochester Neurology (“GRN”), without first obtaining authorization from the patients.  On April 21, 2015, GRN used the information to mail letters to the patients on the list informing them that the nurse practitioner would be joining the practice and advising them of how to switch to GRN.    

URMC learned of the breach three days later, when calls began coming in from patients who were upset about the letter. The nurse practitioner was subsequently terminated, notification letters were sent to the affected patients, and the media was alerted. GRN has attested that all health information transmitted by URMC has been returned or deleted.

In 2009, state attorneys general were empowered under the Health Information Technology for Economic and Clinical Health (HITECH) Act to enforce HIPAA rules by permitting civil actions against violators. 

Consumers with questions or concerns about this settlement or other health care privacy matters may call the Attorney General’s Health Care Bureau Helpline at 1-800-428-9071.

A copy of the settlement can be read here.

The investigation of this matter was conducted by Assistant Attorney General Brant Campbell and Volunteer Assistant Attorney General Laura Puhala of the Attorney General’s Health Care Bureau, together with Assistant Attorney General Herbert Israel and Volunteer Assistant Attorney General Stephen Mindell of the Consumer Frauds Bureau. The Health Care Bureau is led by Bureau Chief Lisa Landau, and is a part of the Social Justice Division, led by Executive Deputy Attorney General for Social Justice, Alvin Bragg; and the Consumer Frauds Bureau is led by Jane Azia, and is part of the Economic Justice Division, led by Executive Deputy Attorney General for Economic Justice, Karla Sanchez.