OCR Reaches $4.75M Settlement With NY Health System

February 06, 2024 - UPDATE 2/7/2024 - This article has been updated to include a statement from a Montefiore Medical Center spokesperson.

The HHS Office for Civil Rights (OCR) announced a $4.75 million settlement with Montefiore Medical Center, a New York City-based nonprofit health system. The settlement resolved potential HIPAA Security Rule failures that resulted in a hospital employee stealing and selling patient health information in 2013.

In addition to the monetary settlement, Montefiore Medical Center will implement a corrective action plan to further protect patient health information.

The incident was brought to Montefiore Medical Center’s attention in May 2015, when the New York Police Department notified the health system that it had discovered evidence of theft of a specific patient’s medical information.

An internal investigation by the health system determined that in 2013, one employee had stolen the protected health information (PHI) of 12,517 patients, subsequently selling the information to an identity theft ring. Montefiore filed a breach report with OCR following the discovery.

OCR’s investigation into the incident determined that Montefiore Medical Center had failed to implement adequate policies to record activity in its information systems and had failed to identify potential risks and vulnerabilities.

“Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later,” OCR stated.

Montefiore agreed to implement several corrective actions, all of which will be monitored by OCR over the next two years to ensure compliance. The health system will provide workforce training on HIPAA policies and procedures, conduct risk assessments, develop a written risk management plan, and develop a plan to implement hardware and software to record activity in all information systems that contain PHI.

“With health care systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients' privacy," a Montefiore spokesperson said in a statement shared with HealthITSecurity.

To OCR, the Montefiore incident highlighted the persisting risk of insider threats to healthcare organizations.

“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” OCR Director Melanie Fontes Rainer said in OCR’s announcement.

“This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls.”

OCR stressed the importance of HIPAA-covered entities and business associates implementing key safeguards to mitigate cyber risk, including leveraging multifactor authentication and reviewing vendor relationships. Employee training and reinforcing every workforce member’s role in privacy and security is also crucial, OCR noted.

“Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable,” said HHS Deputy Secretary Andrea Palm.

“Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”