In September 2010, NewYork-Presbyterian Hospital (NYP) and Columbia University Medical Center (CUMC) disclosed that approximately 6,800 patient records had been exposed on the internet due to a network misconfiguration. The two institutions shared a data network; a physician affiliated with Columbia attempted to decommission a personally owned computer server on the shared network, and the resulting misconfiguration caused patient data — including names, vital signs, diagnoses, medications, and lab results — to become accessible via the internet. A patient discovered the breach by searching the internet and finding their own medical records. The incident resulted in the largest HIPAA enforcement action to date at the time: in May 2014, HHS OCR announced that NewYork-Presbyterian Hospital agreed to pay $3.3 million and Columbia University agreed to pay $1.5 million — a combined $4.8 million — plus corrective action plans. HHS found that neither entity had conducted a thorough risk analysis, had adequate technical safeguards on their network, or had policies addressing the authorization of network servers. The case established important precedent: both the hospital (as a covered entity) and the affiliated university (as a business associate) were held accountable. It highlighted risks inherent in shared network environments between academic medical centers and affiliated research institutions, and the obligation to inventory all systems with access to PHI.