Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health

Insider data breaches have been reported by Montefiore Medical Center and Mercy Health. Both incidents involved an employee accessing patient information when there was no legitimate work-related reason for doing so.

Former Montefiore Medical Center Employee Accessed Patient Data for Billing Scam

Montefiore Medical Center in New York City has discovered a former employee accessed patient information as part of a billing scam. Patient names, medical record numbers, and surgery dates were viewed and used to create invoices for unused surgical products, in connection with a vendor.

Montefiore Medical Center discovered the fraud after the invoices had been paid and launched an investigation that revealed the former employee had accessed the information of approximately 4,000 patients without authorization between January 2018 and July 2020.

Medical records, Social Security numbers, and financial information were not accessed, and the investigation has not uncovered any evidence to suggest patients or their insurance companies were defrauded. The fraud has been reported to law enforcement and the investigation is ongoing.

Montefiore Medical Center said the former employee died during the investigation and the vendor has been banned from all Montefiore campuses.

Montefiore Medical Center has taken steps to prevent similar incidents in the future. The paper forms involved in the scam are no longer used and procedures for processing invoices for surgical supplies are being reviewed.

Criminal background checks are already conducted prior to appointment and all employees receive training on privacy policies and are made aware that the medical center has a zero-tolerance policy concerning accessing medical records unless there is a work-related reason for doing so.

Mercy Health Discovers Unauthorized PHI Access by Former Employee

Mercy Health in St. Louis has started notifying certain patients that some of their protected health information has been accessed by a member of staff for reasons other than providing care.

The insider breach was discovered by Mercy Health on October 7, 2020. The investigation revealed the employee had accessed patient information on multiple occasions when the information was not required for providing care to patients. The reason for the unauthorized access has not been made public.

Affected patients have been advised to monitor their credit reports and billing/accounts statements and to report any unauthorized activity. As a precaution against identity theft and fraud, affected patients have been offered a complimentary 1-year membership to IDX identity theft protection services.

For the majority of affected patients, the information accessed was limited to name, address, demographic information, date of birth, medical record number, treatment information, clinical information, and/or radiological images.  The former employee also viewed the health insurance ID numbers of a limited number of patients.

Mercy Health has since enhanced procedures to prevent similar incidents in the future and the staff has been re-educated on compliance with Mercy Health’s policies and procedures.

The HHS’ Office for Civil Rights breach portal shows up to 11,187 patients have been affected.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.