The Department of Health and Human Services (HHS) Office for Civil Rights (OCR) reported the first financial penalty issued in 2024 to settle alleged HIPAA violations. Montefiore Medical Center has consented to pay a $4.75 million penalty to settle the supposed HIPAA violations. This one penalty already exceeded OCR’s total collections in 2023 from its HIPAA enforcement actions. This is the biggest financial penalty that OCR imposed surpassing the $5.1 million penalty for Excellus Health Plan in January 2021.
Just like the Excellus investigation, OCR discovered several failures in complying with the HIPAA Security Rule; nevertheless, the Excellus investigation was prompted by a PHI breach involving 9.35 million people. The penalty of Montefiore Medical Center was linked to a breach report that affected the PHI of 12,517 individuals. The size of a data breach was considered by OCR in deciding a suitable penalty, however, it is the nature of the actual HIPAA violations that has the greatest impact on the penalty size. The HIPAA violations of Montefiore Medical Center were deemed to be critical.
The New York Police Department notified the non-profit hospital system Montefiore Medical Center in New York City in May 2015 about the evidence uncovered suggesting criminal HIPAA violations by the medical center. An employee stole a patient’s PHI. An investigation revealed the worker had accessed without authorization the health records of 12,517 patients, duplicated their information and offered the data for sale to identity thieves. The worker accessed the records with no authorization for 6 months from January 1, 2013 to June 30, 2013.
Montefiore Medical Center informed OCR concerning the breach on July 22, 2015. On November 23, 2015, OCR advised Montefiore Medical Center that it had started an investigation to evaluate if the medical center complied with the HIPAA Regulations. OCR confirmed that Montefiore Medical Center did not perform an accurate and complete risk analysis of the probable risks and vulnerabilities to the integrity, confidentiality, and availability of ePHI; did not use procedures to examine records of activity in data systems, and did not employ hardware, software, or procedural systems to log and analyze activity in data systems.
The insider incident under investigation by OCR was not the only malicious insider incident encountered by the medical center. There was one incident concerning a worker accessing patient data with no authorization from January 2018 to July 2020. The worker got access to the data of 4,000 individuals associated with a vendor involved in a billing fraud. In 2021, the medical center reported another worker had acquired access to the health records of patients with no authorization for 5 months in 2020. Since then, the Medical Center has used a program to keep track of unauthorized access to patient data by employees.
Montefiore Medical Center opted to resolve the accusations without admitting wrongdoing and decided to use a corrective action plan including the following:
- Perform a detailed and complete evaluation of the possible security threats and vulnerabilities to the integrity, confidentiality, and availability of all ePHI.
- Create a written risk management plan or plans enough to deal with and mitigate any security threats and vulnerabilities determined in the risk analysis.
- Create and apply a plan to use hardware, software, and/or procedural systems that log and analyze activity in all data systems that have or utilize ePHI.
- Evaluate and modify present Privacy and Security Rules guidelines and procedures according to the results of the risk analysis.
- Send the edited guidelines and procedures to the employees and give training to the employees on those edited guidelines and procedures.
OCR will keep track of Montefiore Medical Center for HIPAA Rules compliance for two years. This is a time when cyber-attacks conducted by malicious insiders are common. The risks to patient PHI cannot be ignored and should be resolved quickly and diligently. This OCR investigation of the Montefiore incident is an example of how cybercriminals and thieves can severely target the healthcare sector – even with firewalls set. Cyber-attacks do not victimize according to organization size or type, and the healthcare system must adhere to the law to secure patient data.
In the statement regarding the settlement, OCR reminded HIPAA-covered entities of their commitments under HIPAA to employ safety measures to mitigate or stop cyber threats, such as threats that start inside and outside the company. This settlement clarifies the outcomes of not implementing those safety measures.
Montefiore Medical Center affirmed that it had taken action after the breach and in the succeeding years to reinforce security. The worker involved was investigated and terminated from work. She was detained and successfully charged for the crimes. Prior to being informed by authorities, Montefiore had expanded its monitoring functions for systems that consist of patient data and took action to safeguard patient data from theft or identical criminal activity by building extra technical safety measures to secure all electronic records. Training and outreach were likewise increased to tell employees their duties with regard to HIPAA and patient privacy. Medical care systems across the nation continue to be the focus of data breaches and malicious cyberattacks. The responsibility to safeguard patient data should be taken seriously. Stay committed to maintaining security practices and cybersecurity measures to secure patients’ privacy.