HHS’ Office for Civil Rights Settles Malicious Insider Cybersecurity Investigation with Montefiore Medical Center for $4.75 Million

The U.S. Department of Health and Human Services (HHS), Office for Civil Rights (OCR), has reached a $4.75 million settlement with Montefiore Medical Center, a non-profit hospital system based in New York City, following an investigation into potential violations of the Health Insurance Portability and Accountability Act (HIPAA) Security Rule. The settlement addresses several data security failures by Montefiore that allowed an employee to steal and sell patients’ protected health information over a six-month period.

The OCR, responsible for enforcing health information privacy laws, including HIPAA, uncovered multiple potential breaches of the HIPAA Security Rule during its investigation. The breaches included Montefiore's failure to analyze and identify potential risks and vulnerabilities to protected health information, monitor and safeguard health information systems' activity, and implement policies and procedures for recording and examining activity in systems containing or using protected health information.

According to OCR Director Melanie Fontes Rainer, the settlement highlights the increasing threat of cyber-attacks from malicious insiders in the healthcare sector. She emphasized the need for swift and diligent action to address risks to patient protected health information in today's cybersecurity landscape.

HHS Deputy Secretary Andrea Palm echoed this sentiment, stating that cybersecurity threats, particularly those originating from insiders, pose a significant risk to patient security. Palm emphasized the importance of health care systems establishing trust by implementing policies and procedures to secure patients' medical information.

The investigation originated from an incident in May 2015 when the New York Police Department informed Montefiore Medical Center of evidence of the theft of a specific patient's medical information. Subsequent internal investigations revealed that an employee had stolen the electronic protected health information of 12,517 patients two years prior and sold it to an identity theft ring. The breach report filed with OCR triggered the extensive investigation into Montefiore's security practices.

As part of the settlement, Montefiore Medical Center will pay $4,750,000 to OCR and implement a corrective action plan. The plan includes conducting a thorough assessment of security risks, developing a risk management plan, implementing mechanisms to record and examine activity in information systems, reviewing and revising policies and procedures to comply with HIPAA rules, and providing training to its workforce on HIPAA policies and procedures.

OCR will monitor Montefiore Medical Center for two years to ensure compliance with the terms of the settlement. This settlement aligns with HHS's broader efforts to enhance cybersecurity in the health care sector, as demonstrated by the release of a Department-wide Cybersecurity strategy in December 2023 and voluntary performance goals to improve cybersecurity across the health sector.

In its breach reports, OCR noted a significant increase in the number of individuals affected by large breaches in 2023, emphasizing the need for health care providers, health plans, clearinghouses, and business associates covered by HIPAA to implement safeguards. Recommendations include reviewing vendor and contractor relationships, integrating risk analysis into business processes, ensuring regular review of information system activity, employing multi-factor authentication, encrypting protected health information, and providing regular training to reinforce workforce members' critical role in protecting privacy and security.

The settlement serves as a stark reminder for the health care sector to remain vigilant against cyber threats, both external and internal, to safeguard patient information and uphold the principles of privacy and security.

The GRC Report is the first word in governance, risk, and compliance news. As your trusted source for comprehensive coverage, the GRC Report keeps you informed and equipped to navigate the evolving landscape of governance, risk, and compliance. And remember, the GRC Report isn't just a news source; it's a community of professionals who share your passion for GRC excellence. Don't miss out on our insightful articles and breaking news – join the conversation and empower your GRC journey.