A medical center in New York City was recently fined $4.75 million and required to implement a correction action plan after federal regulators found potential HIPAA violations. These violations were uncovered during an investigation into a hospital employee who sold patient data to an identity theft ring back in 2013.
On Tuesday, the Office for Civil Rights of the U.S. Department of Health and Human Services announced a settlement with Montefiore Medical Center in response to data security failures at the organization. These failures resulted in an employee accessing and selling patients’ protected health information between January and June 2013.
According to HHS OCR, officials at the medical center were not made aware of the situation until May 2015 when the New York Police Department notified them about evidence of stolen medical information belonging to a specific patient. As a result, Montefiore Medical Center conducted an internal investigation and discovered that two years earlier, one of their employees had sold the electronic protected health information of thousands of patients to an identity theft ring.
The theft of electronic health records involving 12,517 individuals was reported to HHS OCR in July 2015 by Montefiore.
According to OCR, their inquiry revealed several potential infringements of the HIPAA Security Rule by Montefiore. These include a lack of analysis and identification of potential risks and vulnerabilities to PHI, inadequate monitoring and protection of its health information systems’ activity, and failure to implement policies and procedures for recording and examining activity in systems that contain or use PHI.
According to a statement from HHS OCR, Montefiore Medical Center was unable to prevent or even detect a cyberattack due to the absence of these safeguards, and only became aware of the attack years later.
HHS OCR Director Melanie Fontes Rainer stated that cyberattacks from malicious insiders are regrettably becoming more frequent in our current time.
According to her, the current situation demands immediate and diligent attention to protect patient confidential data. The recent case with Montefiore serves as a reminder of the severe threats that healthcare organizations face from cybercriminals and internal perpetrators alike.
Along with the multimillion-dollar financial settlement, Montefiore has also committed to following a corrective action plan. This plan entails performing a comprehensive security risk assessment of electronic PHI, addressing any identified risks or vulnerabilities, establishing audit controls to monitor ePHI activity, and reviewing and revising their privacy and security policies and protocols.
The corrective action plan additionally entails Montefiore disseminating its revised privacy and security policies and procedures to its employees, as well as providing training materials that cover the HIPAA Privacy, Security, and Breach Notification rules for all staff with PHI access.
Montefiore, in a statement provided to Information Security Media Group, shared that following the discovery of the incident and in the years since then, rigorous measures have been implemented to enhance system security and safeguard patient information.
According to the medical center, Montefiore has terminated the employee responsible for stealing patient information. The individual was arrested and convicted of three felonies in connection with the incident.
According to the medical center, Montefiore had taken preemptive measures to enhance monitoring capabilities and safeguard patient information from theft or other criminal acts. This was done prior to receiving official notification of the theft, and involved implementing additional technical safeguards for all electronic records.
In light of the event, Montefiore reported that it has elevated its training and outreach efforts amongst staff in order to reinforce their privacy and security protocols.
Montefiore emphasized their dedication to safeguarding patient information in light of ongoing data breaches and cyberattacks faced by healthcare systems nationwide. They remain fully committed to upholding strict safety protocols and cybersecurity measures for the protection of patients’ privacy.