Medical Center Fined $4.75M in Insider ID Theft IncidentHHS OCR Says a Malicious Worker Stole and Sold Patient Information in 2013
Federal regulators fined a New York City medical center $4.75 million and called for a correction action plan to settle potential HIPAA violations discovered during the investigation of a hospital insider who sold patient data to an identity theft ring in 2013.
The U.S. Department of Health and Human Services' Office for Civil Rights on Tuesday said the settlement with Montefiore Medical Center in the Bronx stems from "data security failures" at the organization that led to an employee stealing and selling patients' protected health information from January to June 2013.
Medical center officials did not become aware of the incident until the New York Police Department in May 2015 notified them about evidence of the theft of a specific patient's medical information. That prompted Montefiore Medical Center to conduct an internal investigation, which led to the discovery that two years prior, one of the group's workers had stolen the electronic protected health information of thousands of patients and sold it to an identity theft ring, HHS OCR said.
Montefiore reported the incident to HHS OCR in July 2015 as a theft involving electronic health records affecting 12,517 individuals.
OCR said its investigation into the matter found multiple potential violations of the HIPAA Security Rule, including failures by Montefiore to analyze and identify potential risks and vulnerabilities to PHI, monitor and safeguard its health information systems' activity, and implement policies and procedures that record and examine activity in systems containing or using PHI.
"Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later," HHS OCR said in a statement.
“Unfortunately, we are living in a time where cyberattacks from malicious insiders are not uncommon," said HHS OCR Director Melanie Fontes Rainer in the statement.
"Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently," she said. “This investigation and settlement with Montefiore are an example of how the healthcare sector can be severely targeted by cybercriminals and thieves - even within their own walls."
In addition to the multimillion-dollar financial settlement, Montefiore agreed to implement a corrective action plan that includes conducting a thorough security risk analysis of electronic PHI, addressing any risk and vulnerabilities identified in the analysis, implementing audit controls to record and examine activity involving ePHI, and reviewing and updating its privacy and security procedures and practices.
The corrective action plan also calls for Montefiore to distribute its updated privacy and security policies and procedures to its workforce and to provide training materials that address the requirements of the HIPAA Privacy, Security, and Breach Notification rules for all workforce members who have access to PHI.
Montefiore in a statement provided to Information Security Media Group said that upon discovery of the incident and in the intervening years, the medical center has taken "significant steps" to improve the security of its systems and to reinforce the protection of patient information.
Montefiore fired the worker involved in the patient information theft. That employee was arrested, charged with three felonies and successfully prosecuted for the crime, the medical center said.
"Before being officially notified of the theft, Montefiore had already worked to expand monitoring capabilities for applications that contain patient information and took steps to protect patient information from theft or similar criminal activity by adding additional technical safeguards to protect all electronic records," the medical center said.
Since the incident, Montefiore has increased training and outreach to the staff to reinforce its privacy and security standards, it said.
"With healthcare systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients' privacy,” Montefiore said.
HHS OCR's settlement with Montefiore comes on the heels of several other HIPAA enforcement actions by the agency in recent months.
They include a $160,000 settlement with New Jersey-based Optum Medical Care related to six "right of access" complaints filed against the practice in 2021; a $480,000 settlement with Louisiana-based Lafourche Medical Group in the agency's first HIPAA case centered on a phishing breach, which affected nearly 35,000 individuals; and a $100,000 settlement with Massachusetts-based Doctors Management Group following an investigation into a ransomware breach reported in 2019 that affected nearly 206,700 individuals.
"While most recent OCR settlements have involved 'right of access' cases and have been less than $1 million, this latest settlement is a reminder that OCR is still willing to impose significant penalties for what they view as patterns of noncompliance," said privacy attorney Adam Greene of the law firm Davis Wright Tremaine. "Historically, OCR has been especially willing to seek larger settlement amounts with larger-sized entities."
While the threat from external hackers continues to grow by the day, the threat of insiders looking to use Social Security numbers and other patient information for identity theft has never gone away, Greene said. "Organizations should consider where they can reduce their usage of SSNs and how they can monitor for any suspicious levels of access to such data."
Privacy attorney Iliana Peters of the law firm Polsinelli wonders why HHS OCR is only now striking a settlement in the investigation involving the Montefiore incident, considering that nearly a decade has passed since the breach was reported.
"Specifically, while this settlement highlights the ongoing work OCR is doing with regard to breach notifications that it receives from HIPAA-covered entities and business associates, why are these investigations taking so long to conclude?" she asked. "Also, if OCR's concern is identifying regulated entities that aren't complying with the HIPAA rules, including for purposes of raising the cybersecurity bar for the healthcare sector as a whole, why aren't they investigating any entities that have not reported breaches to OCR?"
Last year, the healthcare sector reported a record number of major health data breaches - 734 incidents - affecting a record number of individuals - nearly 135.3 million - to HHS OCR. That's equal to more than 40% of the U.S. population having their protected health information compromised in a single year (see: How 2023 Broke Long-Running Records for Health Data Breaches).
The vast majority of those breaches involved hacking incidents.
HHS recently issued guidance that urges healthcare sector entities to implement a list of voluntary "essential" and "enhanced" cybersecurity performance goals to help better address the surging cyberthreats (see: HHS Details New Cyber Performance Goals for Health Sector).