The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Insider Data Breaches Reported by Montefiore Medical Center and Mercy Health

Posted By on Dec 8, 2020

Insider data breaches have been reported by Montefiore Medical Center and Mercy Health. Both incidents involved an employee accessing patient information when there was no legitimate work-related reason for doing so.

Former Montefiore Medical Center Employee Accessed Patient Data for Billing Scam

Montefiore Medical Center in New York City has discovered a former employee accessed patient information as part of a billing scam. Patient names, medical record numbers, and surgery dates were viewed and used to create invoices for unused surgical products, in connection with a vendor.

Montefiore Medical Center discovered the fraud after the invoices had been paid and launched an investigation that revealed the former employee had accessed the information of approximately 4,000 patients without authorization between January 2018 and July 2020.

Medical records, Social Security numbers, and financial information were not accessed, and the investigation has not uncovered any evidence to suggest patients or their insurance companies were defrauded. The fraud has been reported to law enforcement and the investigation is ongoing.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

Montefiore Medical Center said the former employee died during the investigation and the vendor has been banned from all Montefiore campuses.

Montefiore Medical Center has taken steps to prevent similar incidents in the future. The paper forms involved in the scam are no longer used and procedures for processing invoices for surgical supplies are being reviewed.

Criminal background checks are already conducted prior to appointment and all employees receive training on privacy policies and are made aware that the medical center has a zero-tolerance policy concerning accessing medical records unless there is a work-related reason for doing so.

Mercy Health Discovers Unauthorized PHI Access by Former Employee

Mercy Health in St. Louis has started notifying certain patients that some of their protected health information has been accessed by a member of staff for reasons other than providing care.

The insider breach was discovered by Mercy Health on October 7, 2020. The investigation revealed the employee had accessed patient information on multiple occasions when the information was not required for providing care to patients. The reason for the unauthorized access has not been made public.

Affected patients have been advised to monitor their credit reports and billing/accounts statements and to report any unauthorized activity. As a precaution against identity theft and fraud, affected patients have been offered a complimentary 1-year membership to IDX identity theft protection services.

For the majority of affected patients, the information accessed was limited to name, address, demographic information, date of birth, medical record number, treatment information, clinical information, and/or radiological images.  The former employee also viewed the health insurance ID numbers of a limited number of patients.

Mercy Health has since enhanced procedures to prevent similar incidents in the future and the staff has been re-educated on compliance with Mercy Health’s policies and procedures.

The HHS’ Office for Civil Rights breach portal shows up to 11,187 patients have been affected.

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist