Montefiore Medical Center has settled a malicious insider cybersecurity investigation with the U.S. Department of Health and Human Services' Office for Civil Rights (OCR) in a $4.75 million settlement.
In May 2015, the New York Police Department alerted Montefiore Medical Center to the theft of a patient's medical information, triggering an internal investigation by the center. This probe uncovered that, starting two years prior, an employee had stolen the electronic protected health information (ePHI) of 12,517 patients, selling it to an identity theft ring.
The OCR conducted its own investigation, finding multiple potential violations of the HIPAA Security Rule by Montefiore Medical Center. These violations include failures in:
Cybersecurity within the healthcare sector requires strategies, procedures, and technologies to block unauthorized entry, prevent data leaks, and prevent harmful cyber activities that might compromise patient data confidentiality and healthcare systems' overall reliability.
The OCR has recommended several safeguards covered entities and their business associates must implement to avoid cybersecurity threats. These include:
See also: Healthcare and cybersecurity
“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” said OCR Director Melanie Fontes Rainer. “This investigation and settlement with Montefiore are an example of how the health care sector can be severely targeted by cyber criminals and thieves—even within their own walls. Cyber-attacks do not discriminate based on organization size or stature, and it’s incumbent that our health care system follow the law to protect patient records.”
HHS Deputy Secretary Andrea Palm also commented on the HHS stance on cybersecurity: “Cyber-attacks that are carried out by insiders are one of the many ways that can lead to a security breach, leaving patients vulnerable. Our priority is and always has been improving the quality of health care patients receive. Part of this health care is establishing a trust that medical records will not be exposed. HHS will continue to remind health care systems of their responsibility as providers, which is to have policies and procedures in place to keep patients’ medical information secure.”
This breach increased the number of individuals affected by large breaches, rising from 55 million in 2022 to over 134 million in 2023. In response to these escalating threats, the HHS took decisive action by releasing a Department-wide Cybersecurity strategy for the healthcare sector in December 2023.
This plan strengthens healthcare's defenses against cyber threats by creating a unified framework. It focuses on the specific weaknesses of healthcare information systems. The goal is to make cybersecurity practices consistent across the industry. This will help healthcare providers better safeguard patient information from unauthorized access and cyberattacks.
The HHS's introduction of voluntary performance goals just last week marks a step forward in building a resilient healthcare infrastructure. These goals serve as a benchmark for healthcare organizations, guiding them in implementing effective cybersecurity measures.
Montefiore Medical Center has agreed to a $4.75 million settlement with the OCR. Moving forward, the medical center is required to implement a comprehensive corrective action plan. This plan mandates actions such as a thorough risk assessment to identify vulnerabilities in the protection of ePHI and providing targeted training to its workforce on HIPAA policies and procedures. The OCR will also monitor Montefiore Medical Center for two years to ensure compliance with these regulations.
See also: Top 10 HIPAA compliant email services