Another staff member at New York’s Montefiore Medical Center has been found to have been illegally viewing patient information. During February 2020, the medical center discovered a staff member had been accessing medical records without permission for a period of five months earlier that same year. In a separate incident a different employee was discovered to have stolen the PHI of around 4,000 patients between January 2018 to July 2020.
The most recent case of improper medical record access involved an employee accessing patients’ PHI with permission for more than 12 months. The HIPAA violation was spotted by Montefiore’s FairWarning software, which monitors records for improper access.
Following the discovery, the employee was suspended pending an investigation. The subsequent review found the employee in question had illegally accessed records at various time points from January 2020 to February 2021. The OCR breach report indicates 943 records were improperly accessed by the employee.
The range of information accessed was different for each individual impacted by the breach, but may have included first and last names, medical record information, address details, emails, dates of birth, and the final 4-digits of Social Security numbers. Montefiore found nothing to suggest that financial information or clinical information had been breached. The staff member has now been terminated for the HIPAA violation and law enforcement has been notified.
Belden Sued Over November Data Breach
Belden, a U.S. supplier of computer networking hardware is being sued over a November 12, 2020 data breach. The breach in question involved the personal information of previous and existing staff members. Hackers gained control of a few file servers and exfiltrated staff information and details related to some business partners.
The breach was made known to the HHS’ Office for Civil Rights and was reported to have impacted 6,348 people. Names, Social Security numbers, tax identification numbers, financial account information, home addresses, email addresses, dates of birth and other employment-related information were stolen. Belden made the breach public on November 24, 2020 and began informing those impacted on December 14, 2020.
Allegations are made in the filed lawsuit, Edke v. Belden Inc., that the plaintiff and class members have suffered damage due to the breach and had to wait several weeks before being made aware that their personal information had been stolen.
Additionally they are claiming that the data breach has put them at “significant risk of identity theft and various other forms of personal, social, and financial harm.” It goes on to claim that Belden carelessly handled sensitive information and was negligent, and sensitive data was stolen as a result of clear security failures.