Sometimes, it takes years before we find out how HHS responded to a breach. A breach involving New York City Health & Hospitals Corporation that affected 1.7 million patients is a case in point.
As reported previously on this blog, the breach occurred in December 2010 when backup tapes were stolen from the unlocked vehicle of HHC’s business associate.
So what did OCR find in its investigation?
They note:
Upon discovery of the breach, the CE filed a police report to recover the stolen items and provided breach notification to HHS, the media, and affected individuals. As a result of OCR’s investigation, the CE terminated its BA agreement and installed encryption software on backup media. The breach incident involved a BA and occurred prior to the September 23, 2013, compliance date. OCR verified that the CE had a proper BA agreement in place that restricted the BA’s use and disclosure of PHI and required the BA to safeguard all PHI.
So it sounds like HHC did not incur any penalties or serious conditions as a result of the breach, and the business associate lost their contract. That sounds about right if the BA did not comply with its contractual obligations to protect the protected health information.