Federal regulators have fined Montefiore Medical Center in New York City a staggering $4.75 million in response to a serious HIPAA breach involving insider identity theft. The incident, which occurred between January and June 2013, saw an employee steal and sell patient data to an identity theft ring. Despite the theft occurring in 2013, the medical center only became aware of it in 2015, prompting an internal investigation and subsequent reporting to the U.S. Department of Health and Human Services’ Office for Civil Rights (OCR).
OCR’s investigation identified multiple HIPAA Security Rule violations by Montefiore, including failures to analyze and address risks and vulnerabilities to protected health information (PHI), monitor health information systems’ activity, and implement adequate policies and procedures for PHI protection. The lack of safeguards allowed the cyberattack to go undetected for years, underscoring the critical need for robust security measures in healthcare organizations.
In addition to the financial penalty, Montefiore has agreed to implement a comprehensive corrective action plan to address the identified deficiencies and enhance its data security posture. The plan includes conducting a thorough security risk analysis, implementing audit controls for PHI activity monitoring, and updating privacy and security policies and procedures. Training and outreach efforts will also be intensified to reinforce privacy and security standards among staff members.
Reference:
