Montefiore Medical Center pays $4.8M after OIG investigation of insider data breach

Montefiore Medical Center has agreed to a $4.75 million settlement over data security failures federal officials uncovered when investigating an employee who had sold patient information to criminals.

Announced Tuesday, the deal between the New York City-based nonprofit, the U.S. Department of Health and Human Services (HHS) and the Office for Civil Rights (OCR) includes a corrective action plan and two years of federal monitoring. It addresses “multiple potential failures” by Montefiore that paved the way for the former employee’s theft about a decade back.

“Unfortunately, we are living in a time where cyber-attacks from malicious insiders are not uncommon. Now more than ever, the risks to patient protected health information cannot be overlooked and must be addressed swiftly and diligently,” OCR Director Melanie Fontes Rainer said in the settlement announcement. “This investigation and settlement with Montefiore are an example of how the healthcare sector can be severely targeted by cyber criminals and thieves—even within their own walls.”

After receiving a tip from police in May 2015, Montefiore conducted an internal investigation and found that an employee had been inappropriately accessing 12,517 patients’ account information through Montefiore’s electronic medical record system from Jan. 1, 2013, to June 30, 2013, the government said.

Some of that information, which included patients’ names, addresses, Social Security numbers and health insurance information, was sold by the employee to an identity theft ring. Montefiore filed a breach report with OCR and HHS notified the system on Nov. 23, 2015, that it would be conducting an investigation over the system’s HIPAA compliance, according to the settlement.

That investigation uncovered potential violations of three provisions within the HIPAA Rules: “to analyze and identify potential risks and vulnerabilities to protected health information, to monitor and safeguard its health information systems’ activity, and to implement policies and procedures that record and examine activity in information systems containing or using protected health information,” the government wrote in Tuesday’s announcement.

“Without these safeguards in place, Montefiore Medical Center was unable to prevent the cyberattack or even detect the attack had happened until years later,” HHS said.

Alongside the multimillion-dollar payout, the settlement agreement tasks Montefiore with conducting an “accurate and thorough” assessment of its electronic protected health information and developing a written risk management plan to address what comes up in the analysis.

The system has also agreed to develop a plan to implement mechanisms that record and examine any activity within systems that contain or use electronic protected health information, to review and revise its policies and procedures to comply with HIPAA Privacy and Security Rules, and to provide related training to its workforce, per the settlement.

In an emailed statement, Montefiore told Fierce Healthcare that the employee was terminated "in the immediate aftermath of the event" and later successfully prosecuted. The system also said it was already working to expand monitoring capabilities before it was officially notified of the data theft, and has also increased its staff training on privacy and security. 

“With healthcare systems across the country continuing to be targets for data breaches and other malicious cyberattacks, we take our responsibility to protect patient information very seriously and remain committed to ensuring safety protocols and cybersecurity safeguards are always maintained to protect our patients' privacy,” a spokesperson for Montefiore said.

More than 134 million individuals were impacted in large data breaches reported to OCR during 2023, up from 55 million in 2022, per HHS. The rising numbers have become a key focus for HHS, which recently released voluntary cybersecurity performance goals for hospitals and is promising future rulemaking to incentivize resiliency across the sector.