In the spring of this year, a University of Rochester (N.Y.) Medical Center nurse practitioner gave a list of 3,403 patient names, addresses and diagnoses to a future employer without obtaining permission from the patients first. Now, URMC has reached a HIPAA settlement with New York State Attorney General Eric Schneiderman, according to a news release from the Attorney General's office.
Here are five things to know about the data breach and HIPAA settlement.
1. On April 21, the nurse practitioner's future employer, Greater Rochester Neurology, mailed letters to the patients on the list informing them of the nurse practitioner's job change and offered advice on how to change providers.
2. URMC learned of the data breach three days later, when upset patients reached out about the letters. The nurse practitioner was terminated.
3. All affected patients were sent notification letters. GRN has since returned or deleted all patient information from URMC.
4. The settlement requires URMC to pay a $15,000 penalty and to educate its employees on policies and procedures related to protected health information.
5. "This settlement strengthens protections for patients at URMC, and it puts other healthcare entities on notice that my office will enforce HIPAA data breach provisions," said Attorney General Schneiderman.
Click here to read the full settlement.