Montefiore Medical Center Fires Employee for Unauthorized Record Access

Montefiore Medical Center has discovered another employee has accessed patient information with no legitimate work reason for doing so.

The New York hospital announced in February 2020 that an employee had been discovered to have accessed medical records without authorization for 5 months in 2020, and another employee was found to have obtained the PHI of approximately 4,000 patients between January 2018 and July 2020.

The latest discovery involved an employee accessing the records of patients without authorization for more than a year. The breach was identified by Montefiore’s FairWarning software, which monitors records for inappropriate access.

When unauthorized medical record access was discovered, the employee was suspended pending an investigation. A review of record access confirmed that the employee had accessed records with no legitimate work reason for doing so between January 2020 and February 2021.

The types of information accessed varied from patient to patient and included first and last names, medical record numbers, addresses, emails, dates of birth, and the last 4-digits of Social Security numbers. Montefiore found no evidence that financial information or clinical information was accessed.

The unauthorized record access violated Montefiore’s policies and HIPAA. The employee was fired, and the matter was referred to law enforcement for possible criminal prosecution. The OCR breach portal indicates 943 individuals were affected.

Belden Facing Class Action Lawsuit Over November 2020 Data Breach

Belden, a U.S. vendor of networking equipment, is facing a class action lawsuit over a November 12, 2020 data breach in which the personal information of current and former employees was compromised. Hackers gained access to a limited number of file servers and exfiltrated employee data and information about some of its business partners.

The breach has recently been reported to the HHS’ Office for Civil Rights as involving the protected health information of 6,348 individuals. Names, Social Security numbers, tax identification numbers, financial account numbers, home addresses, email addresses, dates of birth and other employment-related information were stolen. Belden announced the breach on November 24, 2020 and started notifying affected individuals on December 14, 2020.

The lawsuit, Edke v. Belden Inc., alleges the plaintiff and class members have been harmed as a result of the breach and had to wait several weeks before being notified that their personal information had been stolen. They allege the data breach has placed them at “significant risk of identity theft and various other forms of personal, social, and financial harm.” The lawsuit alleges Belden was careless and negligent, and security failures at the company allowed patient data to be stolen.

Author: Steve Alder has many years of experience as a journalist, and comes from a background in market research. He is a specialist on legal and regulatory affairs, and has several years of experience writing about HIPAA. Steve holds a B.Sc. from the University of Liverpool.