The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) has announced a $4.75 million settlement has been reached with Montefiore Medical Center in New York to resolve alleged HIPAA Security Rule violations that were discovered during a compliance review. The review was initiated after OCR received a breach report about data theft by a malicious insider.
Financial penalties for HIPAA violations can take many months and often years before they are resolved, but this investigation has taken longer than most, having been initiated more than 8 years ago. OCR was notified by Montefiore Medical Center in July 2015 about a data breach involving the protected health information (PHI) of 12,517 patients. OCR initiated its investigation in November 2015.
In May 2015, Montefiore Medical Center was contacted by the New York Police Department and was informed that evidence had been uncovered of the theft of a specific patient’s data from the hospital. Montefiore Medical Center launched an investigation and discovered an employee had been accessing the medical records of patients over a 6-month period between January 1, 2013, through June 30, 2013. The employee had been providing patient data to identity thieves.
OCR investigated and uncovered multiple violations of the HIPAA Security Rule. Montefiore Medical Center was alleged to have failed to conduct an accurate and thorough risk analysis to identify all potential risks and vulnerabilities to the confidentiality, integrity, and availability of ePHI. Procedures had not been implemented to review records of activity in information systems containing ePHI, and the medical center had not implemented appropriate hardware, software, or procedural mechanisms to record and examine activity in information systems. As such, unauthorized access by the employee was not detected. While unauthorized access may not have been prevented had those measures been implemented, the extent of data theft would have been significantly reduced.
Montefiore Medical Center chose to settle the alleged violations with no admission of liability or wrongdoing. In addition to paying a sizeable financial penalty, Montefiore Medical Center has agreed to adopt a robust corrective action plan and will be monitored by OCR for HIPAA compliance for two years. The corrective action plan requires the medical center to conduct an accurate and thorough assessment of the potential security risks and vulnerabilities to the confidentiality, integrity, and availability of all of its ePHI and develop a written risk management plan to address and mitigate any security risks and vulnerabilities identified in the risk analysis. Montefiore Medical Center must implement hardware, software, and/or procedural mechanisms that record and examine activity in all information systems that contain or use ePHI, and regularly monitor activity to identify unauthorized access. HIPAA policies and procedures must also be reviewed and updated, distributed to the workforce, and HIPAA training provided on the new policies.
“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”
This is the first financial penalty to be imposed by OCR to resolve HIPAA violations so far in 2024, and it is a sizable penalty. This one penalty exceeds the funds collected by OCR in all of its enforcement actions in 2023.