New York-Presbyterian Hospital (NYP) and Columbia University Medical Center (CU) operated a shared data network that included electronic health records. In September 2010, a Columbia University physician attempted to decommission a personal computer server that was connected to the shared network — but did so without proper decommissioning procedures and without adequate firewall protection. This caused approximately 6,800 patient records to become accessible via internet searches. A patient discovered the breach by searching for information about a deceased loved one and finding their medical information in search results. HHS OCR investigated and in May 2014 imposed a record $4.8 million HIPAA civil monetary penalty settlement — the largest HIPAA settlement at that time ($3.3 million against NYP and $1.5 million against CU), split because both entities had joint responsibility for the shared network and both violated HIPAA Security Rule requirements. Key violations included: failure to implement appropriate security configurations to protect patient data on the shared network, failure to conduct adequate risk analyses, and failure to implement policies and procedures for network device security. The case established that both covered entities sharing a network can be independently liable for breaches and that misconfigured decommissioned equipment poses a HIPAA risk.