Montefiore settles with OCR for $4.75M over stolen ePHI

A decade ago, malicious insiders sold patient health data to an identity theft crime ring and put the nonprofit provider into a HIPAA investigation. OCR reminds health systems that they have a giant target – no matter their size or stature.
By Andrea Fox
10:47 AM

Update: Comments from Montefiore Medical Center have been added to the story on February 7, 2024.

The U.S. Department of Health and Human Services Office for Civil Rights announced Monday that its settlement and corrective action with Montefiore Medical Center, a nonprofit hospital system based in New York City, resolves multiple potential failures of the Health Insurance Portability and Accountability Act. 

WHY IT MATTERS

After the New York Police Department informed Montefiore Medical Center that a specific patient’s medical information had been stolen in May 2015, the healthcare organization conducted an investigation and then reported that a staff member had stolen the electronic protected health information of 12,517 patients and sold it.

The employee stole and sold ePHI over six months, and OCR said in a statement that the $4.75 million monetary settlement was related to data security failures by Montefiore. 

While cyberattacks from malicious insiders are "not uncommon," ePHI risks must be addressed, according to OCR Director Melanie Fontes Rainer. 

"This investigation and settlement with Montefiore are an example of how the healthcare sector can be severely targeted by cybercriminals and thieves - even within their own walls," Fontes Rainer said in a statement.

"Cyberattacks do not discriminate based on organization size or stature, and it’s incumbent that our healthcare system follows the law to protect patient records." 

OCR said it will monitor Montefiore Medical Center's cybersecurity corrective action plan for two years to ensure HIPAA compliance and stressed the need for healthcare providers, health plans, clearinghouses and HIPAA-covered business associates to neutralize cyber threats with industry best practices.

The agency noted eight regional offices conduct cybersecurity training and also recommended HIPAA-covered entities refer to the following resources:

Montefiore reached out to Healthcare IT News Wednesday and noted that health organizations had the highest number of cyberattacks last year compared to any other critical infrastructure industry in New York.
 
And while the matter "dates back many years" and was self-reported by Montefiore, the provider said it’s taken several actions to "improve the security of our systems and to reinforce the protection of patient information," including increased privacy and security training outreach to the staff.
 
"With healthcare systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients' privacy," a spokesperson from the company said by email.

THE LARGER TREND

HHS worked with the Cybersecurity and Infrastructure Security Agency on a Cybersecurity Toolkit for Healthcare and Public Health in October, released a cybersecurity strategy for the healthcare sector in December and more recently, announced voluntary performance goals to enhance cybersecurity across the health sector.

Essential goals set "a floor of safeguards" to better protect healthcare organizations from cyberattacks, improve incident response and minimize risk, the agency said as it released the voluntary goals. It also would "work with Congress to obtain new authority and funding to administer financial support and incentives for domestic hospitals to implement high-impact cybersecurity practices."

Insider threats can come from staff working on-site, as well as former employees' access credentials, and it's helpful for health systems to rethink their cybersecurity culture, according to healthcare cybersecurity experts.

Ahead of the 2023 HIMSS Cybersecurity Forum, Dr. Eric Liederman, Kaiser Permanente's director of medical informatics, said it's also key to establishing trust with patients that healthcare organizations take their personal safety and personal data safety seriously.

ON THE RECORD

"Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable," HHS Deputy Secretary Andrea Palm said in the announcement. "HHS will continue to remind healthcare systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure." 

Andrea Fox is senior editor of Healthcare IT News.
Email: afox@himss.org

Healthcare IT News is a HIMSS Media publication.

Want to get more stories like this one? Get daily news updates from Healthcare IT News.
Your subscription has been saved.
Something went wrong. Please try again.