The federal government will not pursue action against the University of Rochester (N.Y.) Medical Center over a breach last year that compromised the protected health information of 3,403 patients, according to a Democrat & Chronicle report.
In April 2015, a nurse practitioner at URMC gave a list of patient names to a future employer without first obtaining permission from the patients. The future employer, Greater Rochester Neurology, mailed those patients letters to inform them the nurse practitioner was changing jobs and to advise them on how to change providers.
In December, the New York State Attorney General's office and URMC reached a HIPAA settlement requiring the hospital to pay $15,000 and educate employees on policies and procedures related to protected health information.
The hospital also had to report the breach to HHS' Office for Civil Rights, which investigates HIPAA breaches, which the report indicates was investigating the violation in December. HHS has neither confirmed nor denied investigations, according to the report.
Christopher DiFrancesco, associate vice president for communications at URMC, told the Democrat & Chronicle in an email, "HHS is aware of the resolution reached with the New York State Attorney General, and they informed us last month that they do not plan to take any further action regarding this matter."
More articles on data breaches:
Insider breach at Washington state Medicaid compromises 91k records
Hackers breach 9,000 DHS employees, say FBI is next
Borgess Rheumatology 700 patients' data breached in mailing error