The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a settlement of $4.75 million with Montefiore Medical Center, a non-profit hospital system located in New York City, addressing potential violations of HIPAA Security Rule. This settlement follows a malicious insider cybersecurity incident where an employee stole and sold patients’ protected health information over a six-month period. The OCR is tasked with enforcing health information privacy laws, including HIPAA regulations, and is important in upholding federal civil rights, privacy, and security laws in the healthcare sector. The settlement highlights the growing threat of cyber-attacks, even from within healthcare organizations, emphasizing the need for immediate and diligent action to protect patient information.
OCR Director Melanie Fontes Rainer emphasizes the importance of the healthcare sector to address risks promptly, particularly when facing attacks from malicious insiders “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves.” The settlement is part of HHS’s broader cybersecurity strategy, reflecting their commitment to improving cybersecurity across the health sector. HHS Deputy Secretary Andrea Palm also emphasizes the importance of establishing trust in protecting medical records, asserting that a priority is to improve the quality of healthcare by ensuring patient information remains secure. The settlement specifically resolves multiple potential HIPAA Security Rule violations by Montefiore Medical Center, highlighting the serious consequences of cybersecurity lapses within healthcare organizations.
The malicious insider incident came to light in May 2015 when the New York Police Department informed Montefiore Medical Center of the theft of a specific patient’s medical information. Subsequent internal investigations revealed that an employee had stolen electronic protected health information from 12,517 patients and sold it to an identity theft ring. OCR’s investigation exposed several HIPAA Security Rule failures by Montefiore, including inadequate risk analysis, monitoring, and safeguarding of health information systems, as well as a lack of policies and procedures for recording and examining activity in systems containing protected health information.
As part of the settlement, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan. This plan includes conducting a comprehensive assessment of security risks, developing a risk management plan, implementing mechanisms to record and examine activity in information systems, reviewing and revising policies to comply with HIPAA rules, and providing workforce training on HIPAA policies and procedures. OCR will monitor Montefiore for two years to ensure compliance with these measures.
The settlement emphasizes the need for healthcare entities to invest in robust cybersecurity infrastructure, integrate risk analysis into business processes, and prioritize regular employee training. With over 134 million individuals affected by large breaches in 2023, OCR recommends implementing safeguards such as business associate agreements, audit controls, multi-factor authentication, encryption of protected health information, and ongoing training to reinforce workforce members’ role in safeguarding privacy and security. In its ongoing initiative, OCR provides resources, including telehealth privacy and security tips, guidance for healthcare providers, cybersecurity newsletters, and webinars, aimed at supporting data privacy and security in the healthcare industry.
