The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement with Montefiore Medical Center, a non-profit hospital system in New York City, concerning multiple potential violations of the HIPAA Security Rule. The $4.75 million settlement arises from data security breaches at Montefiore, leading to an employee stealing and selling patients’ protected health information over a six-month period.
In a statement, OCR Director Melanie Fontes Rainer emphasized the increasing risk of cyber-attacks from malicious insiders, “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. The settlement aligns with HHS’ broader cybersecurity strategy for the health care sector, reflecting the department’s commitment to enhancing cybersecurity measures across the industry. HHS Deputy Secretary Andrea Palm stressed the importance of maintaining patient trust in securing medical records, stating “Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” said HHS Deputy Secretary Andrea Palm. “Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”
The investigation originated in May 2015 when the New York Police Department alerted Montefiore Medical Center to evidence of the theft of a specific patient’s medical information. Subsequent internal investigations revealed that an employee had stolen electronic protected health information from 12,517 patients two years earlier, selling the data to an identity theft ring. Montefiore Medical Center reported the breach to OCR, prompting an investigation that uncovered multiple potential violations of the HIPAA Security Rule. These included failures in risk analysis, monitoring of health information systems, and the implementation of policies and procedures for recording and examining activity in systems containing protected health information. Montefiore Medical Center, lacking these safeguards, was unable to prevent or detect the cyberattack until years later.
Under the settlement terms, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan addressing various measures to protect and secure the security of protected health information. These actions involve conducting a comprehensive assessment of security risks and vulnerabilities, developing a written risk management plan, implementing mechanisms to record and examine activity in information systems, reviewing and revising policies to comply with HIPAA rules, and providing workforce training on HIPAA policies and procedures. OCR will closely monitor Montefiore Medical Center for two years to ensure compliance with these measures.
In OCR’s breach reports, the alarming increase in affected individuals—134 million in 2023 compared to 55 million in 2022—emphasizes the urgency for health care providers, health plans, clearinghouses, and business associates covered by HIPAA to implement safeguards against cyber threats. OCR recommends measures such as reviewing vendor and contractor relationships, integrating risk analysis and management into business processes, ensuring audit controls and regular reviews of information system activity, implementing multi-factor authentication, encrypting protected health information, incorporating lessons learned from previous incidents, and providing ongoing training to reinforce workforce members’ roles in protecting privacy and security. These proactive steps aim to mitigate or prevent cyber threats, safeguarding patient information as digital healthcare evolves.