The HIPAA Journal is the leading provider of news, updates, and independent advice for HIPAA compliance

Malicious Insider Incident at Montefiore Medical Center Results in $4.75 Million HIPAA Penalty

Posted By on Feb 7, 2024

The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced its first financial penalty of the year to resolve alleged violations of the Health Insurance Portability and Accountability Act (HIPAA). Montefiore Medical Center has agreed to settle the investigation and has paid a $4.75 million penalty to resolve the alleged HIPAA violations. With this one penalty, OCR has already exceeded its total collections from its HIPAA enforcement actions in 2023 and this is the largest financial penalty to be imposed by OCR since January 2021’s $5.1 million penalty for Excellus Health Plan.

Like the Excellus investigation, OCR uncovered multiple failures to comply with the HIPAA Security Rule; however, the Excellus investigation was in response to a breach of the PHI of 9.35 million individuals. Montefiore Medical Center’s penalty stemmed from a report of a breach of the PHI of 12,517 patients. The scale of a data breach is taken into consideration by OCR when determining an appropriate penalty, but it is the nature of the underlying HIPAA violations that has the biggest impact on the size of a penalty, and Montefiore Medical Center’s HIPAA violations were deemed to be severe.

Montefiore Medical Center, a non-profit hospital system based in New York City, was notified by the New York Police Department in May 2015 that evidence had been uncovered of criminal HIPAA violations at the medical center. A patient’s protected health information had been stolen by an employee. An investigation was launched which revealed the employee had unlawfully accessed the medical records of 12,517 patients, copied their information, and sold the information to identity thieves. The former employee had been accessing the records without authorization for 6 months between January 1, 2013, and June 30, 2013.

Montefiore Medical Center notified OCR about the breach on July 22, 2015, and OCR informed Montefiore Medical Center on November 23, 2015, that it had initiated an investigation to assess whether the medical center was compliant with the HIPAA Rules. OCR determined that Montefiore Medical Center had failed to conduct an accurate and thorough risk analysis of the potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI; failed to implement procedures to review records of activity in information systems, and failed to implement hardware, software, or procedural mechanisms to record and examine activity in information systems.

Get The FREE
HIPAA Compliance Checklist

Immediate Delivery of Checklist Link To Your Email Address

Please Enter Correct Email Address

Your Privacy Respected

HIPAA Journal Privacy Policy

The insider incident investigated by OCR was not the last time that the medical center has had to deal with malicious insiders. There was an incident involving an employee accessing patient records without authorization between January 2018 and July 2020. The employee had accessed the records of 4,000 patients in connection with a vendor as part of a billing scam. In 2021, the medical center confirmed that another employee had accessed the medical records of patients without authorization over a period of 5 months in 2020. The Medical Center has since implemented a system to monitor patient records for unauthorized access by employees.

Montefiore Medical Center chose to settle the allegations with no admission of wrongdoing and agreed to implement a corrective action plan which includes the following requirements:

  • Conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI.
  • Develop a written risk management plan or plans sufficient to address and mitigate any security risks and vulnerabilities identified in the risk analysis.
  • Develop and implement a plan to implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI.
  • Review and revise current Privacy and Security Rules policies and procedures based on the findings of the risk analysis.
  • Distribute the revised policies and procedures to the workforce and provide training to the workforce on those revised policies and procedures.

OCR will monitor Montefiore Medical Center for compliance with the HIPAA Rules for 2 years. “Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”

In the announcement about the settlement, OCR reminded HIPAA-regulated entities of their obligations under HIPAA to implement safeguards to mitigate or prevent cyber threats, including threats that originate inside as well as outside the organization. This settlement makes clear the consequences of failing to implement those safeguards.

Montefiore Medical Center confirmed that action was taken following the breach and in the subsequent years to strengthen security. The employee concerned was investigated and terminated, and she was arrested and successfully prosecuted for the crimes. Before being notified by law enforcement, Montefiore had worked to expand its monitoring capabilities for applications that contain patient information and took steps to protect patient information from theft or similar criminal activity by adding additional technical safeguards to protect all electronic records. Training and outreach were also increased to remind staff members of their responsibilities with respect to HIPAA and patient privacy. “With health care systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients’ privacy,” a spokesperson for the health systems told The HIPAA Journal.

 

Author: Steve Alder is the editor-in-chief of HIPAA Journal. Steve is responsible for editorial policy regarding the topics covered in The HIPAA Journal. He is a specialist on healthcare industry legal and regulatory affairs, and has 10 years of experience writing about HIPAA and other related legal topics. Steve has developed a deep understanding of regulatory issues surrounding the use of information technology in the healthcare industry and has written hundreds of articles on HIPAA-related topics. Steve shapes the editorial policy of The HIPAA Journal, ensuring its comprehensive coverage of critical topics. Steve Alder is considered an authority in the healthcare industry on HIPAA. The HIPAA Journal has evolved into the leading independent authority on HIPAA under Steve’s editorial leadership. Steve manages a team of writers and is responsible for the factual and legal accuracy of all content published on The HIPAA Journal. Steve holds a Bachelor’s of Science degree from the University of Liverpool. You can connect with Steve via LinkedIn or email via stevealder(at)hipaajournal.com

x

Is Your Organization HIPAA Compliant?

Find Out With Our Free HIPAA Compliance Checklist

Get Free Checklist