This past week, Montefiore Medical Center agreed to pay $4.75 million for numerous data security flaws that violated HIPAA and allowed a former employee to steal and sell information of over 12,000 patients in just six months.

In 2015, the New York Police Department informed the nonprofit medical center that information for one of its patients had been stolen. Montefiore launched an internal investigation that revealed that two years earlier, an employee stole the electronic protected health information of 12,517 patients and sold it to an identity theft ring.

The Office for Civil Rights (OCR) then investigated and found the breach to be the result of violations of the HIPAA Security Rule, including Montefiore’s failure to analyze and identify potential risks and vulnerabilities to protected health information; monitor and safeguard its health information systems’ activity; and implement policies and procedures to record and examine activity in information systems containing or using protected health information.
“This investigation and settlement with Montefiore are an example of how the healthcare sector can be severely targeted by cybercriminals and thieves — even within their own walls,” said OCR director Melanie Fontes Rainer in a statement.

In addition to the sum it will pay, Montefiore has agreed to implement corrective actions to better secure protected health information in the future:

• Regularly perform accurate and thorough assessments of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI


• Develop a written risk management plan for mitigating issues identified in the risk analysis


• Implement a plan for hardware, software, and other procedural mechanisms that record and examine activity in all information systems with ePHI


• Review and revise, if necessary, written policies and procedures to comply with the HIPAA Privacy and Security Rules


• Train its workforce on HIPAA policies and procedures

OCR, which will monitor Montefiore Medical Center for two years to ensure compliance, says that providers should regularly review information system activity, integrate risk analysis and risk management into business processes, and examine its relationships with vendors and contractors to ensure business associate agreements are in place to ensure compliance and mitigate risk to data security and privacy.

To prevent unauthorized users, including ones under their employment, providers should also adopt multifactor authentication protocols, and encrypt protected health information. Lessons from previous security incidents should also be incorporated into present cybersecurity strategies, and regular staff training should be carried out with explanations of how security is part of their job responsibilities.

Health IT Homepage