Montefiore Medical Center Agrees to $4.75 Million Settlement with HHS OCR for HIPAA Violations


Federal regulators imposed a $4.75 million penalty on a medical facility in New York City and demanded a comprehensive corrective plan to address potential violations of the Health Insurance Portability and Accountability Act (HIPAA). These actions were taken following the discovery of a breach in 2013, where an internal hospital employee unlawfully sold patient data to a group involved in identity theft.

The fine and corrective measures were announced by the Office for Civil Rights (OCR) at the U.S. Department of Health and Human Services. This decision comes in the wake of findings that pinpointed significant lapses in data security at Montefiore Medical Center, located in the Bronx. These lapses allowed for the unauthorized access and sale of sensitive patient information by a staff member from January to June 2013.

The medical center was oblivious to the breach until the New York Police Department alerted them in May 2015, revealing the unauthorized sale of a patient's medical details. This led Montefiore Medical Center to initiate an internal probe, uncovering that a staff member had, two years earlier, accessed and sold the electronic protected health information (ePHI) of thousands to an identity theft network.

Following this revelation, Montefiore reported the breach to the OCR in July 2015, indicating that electronic health records of 12,517 individuals were compromised.

The OCR's investigation unearthed several probable infractions of the HIPAA Security Rule by Montefiore. These included failures in conducting a comprehensive risk assessment of ePHI vulnerabilities, inadequate monitoring of system activities involving health information, and the absence of effective policies to document and review such activities.

The OCR emphasized that these oversights made it impossible for Montefiore Medical Center to either prevent the breach or detect it until much later. Melanie Fontes Rainer, the OCR Director, remarked on the prevalence of cyberattacks by insiders, underscoring the critical need to protect patient information proactively.

As part of the settlement, Montefiore consented to undertake a detailed security analysis of ePHI, rectify identified risks and vulnerabilities, enhance audit controls, and update its privacy and security policies and training programs.

Montefiore has since taken significant steps to bolster the security of its systems and safeguard patient data. The individual responsible for the data theft was terminated, arrested, and prosecuted successfully.

This enforcement action is among several recent HIPAA-related settlements initiated by the OCR, underscoring the agency's commitment to addressing noncompliance and enhancing the healthcare sector's cybersecurity posture.

Privacy and legal experts highlight the ongoing risk of internal threats and the importance of minimizing the use of sensitive information like Social Security numbers. Questions arise about the timeliness of OCR's enforcement actions, prompting a discussion on the efficiency of regulatory oversight in the rapidly evolving cybersecurity landscape.

The healthcare sector continues to be a prime target for cybercriminals, with a record number of data breaches reported last year, affecting millions of individuals and highlighting the urgent need for robust data protection measures.

Post a Comment

0 Comments